How to set Exchange 2010 On Premise Impersonation Access

Last update:
Created :
Written by Thomas Speekenbrink

Overview:

This article will describe how to set the impersonation rights on Exchange 2010 on Premise.

How to:

Prerequisites

The following prerequisites are required to configure Exchange Impersonation:

  • Administrative credentials for the computer that is running Exchange 2010 that has the Client Access server role installed.
  • Domain Administrator credentials, or other credentials with the permission to create and assign roles and scopes.
  • Remote PowerShell installed on the computer from which you will run the commands.

Procedure

To configure Exchange Impersonation for all users in an organization

  • Open the Exchange Management Shell.
  • Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate to the specified user. The following example shows how to configure Exchange Impersonation to enable a service account to impersonate all other users in an organization.
  • ( New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount )

To configure Exchange Impersonation for specific users or groups of users

  • Open the Exchange Management Shell.
  • Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. If an existing scope is available, you can skip this step. The following example shows how to create a management scope for a specific group ( New-ManagementScope –Name:scopeName –RecipientRestrictionFilter:recipientFilter )
  • Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. The following example shows how to configure Exchange Impersonation to enable a service account to impersonate all users in a scope.
  • ( New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:scopeName )

The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the members of the scope. You can use properties of the Identity object to create the filter. The following example is a filter that restricts the result to a single user with the user name "john."

( Name –eq 'john' )

Source : http://msdn.microsoft.com/en-us/library/bb204095.aspx