How to set Impersonation on a Hosted Exchange 2007 environment

Last update:
Created :
Written by Thomas Speekenbrink

Overview:

This article will explain how to configure Impersonation using the Exchange Management Shell on a Hosted Exchange 2007 environment.

How to:

Exchange Server 2007 makes use of Access Control Lists (ACL) to apply the permissions. You apply two rights; one that authorizes the Service Account access to Exchange Impersonation rights on the Client Access Server (CAS), and the other that is applied to either an AD account or an entire Mailbox database. This limits impersonation to an account-by-account basis, or to an entire mailbox database.

Exchange 2007 requires that you apply two rights to be able to get Exchange Impersonation working:

  • ms-Exch-EPI-Impersonation – This right is applied to the Client Access Server and grants the Service Account permission to function as an Exchange Impersonation account on that CAS
  • ms-Exch-EPI-May-Impersonate – This right is applied on either a user-by-user basis for each of the users that require impersonation to be enabled, or it can be applied on a mailbox database

Single CAS - The first step is to make sure we have the correct setting for the Client Access Server. To set the Impersonation permission on your Client Access Server:

  • Log on to physical Server machine
  • Launch the Exchange Management Shell
  • At the command line, type the following command (replacing CAS-Server-Name with your own CAS server name and Service-Account with the name of your own Service Account):
  • Add-ADPermission -Identity (Get-ExchangeServer -Identity CAS-Server-Name).DistinguishedName -User (Get-User -Identity "Service-Account").Identity -extendedRight ms-Exch-EPI-Impersonation
  • Add-ADPermission -Identity (Get-ExchangeServer -Identity MailServerCAS1).DistinguishedName -User (Get-User -Identity "syncuser").Identity -extendedRight ms-Exch-EPI-Impersonation

Note: the cmdlets are typed on a single line. The examples above have been word wrapped.

All CAS - If is also possible to set Impersonation permission on all Client Access servers in an Exchange organization.

  • Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity "User1" | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
  • Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity "Syncuser" | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

Impersonation for single user accounts - The next step is to set the permissions on each user for which we want to enable Exchange Impersonation. From the command line, use the Add-ADPermission cmdlet.

  • Add-ADPermission -Identity (Get-User -Identity "Target-User").DistinguishedName -User (Get-User -Identity "Service-Account").Identity -extendedRight ms-Exch-EPI-May-Impersonate
  • Add-ADPermission -Identity (Get-User -Identity "Gordon Welling").DistinguishedName -User (Get-User -Identity "Syncuser").Identity -extendedRight ms-Exch-EPI-May-Impersonate

Impersonation for all user accounts in a mailbox database - It is also possible is to set the permissions on all users in a mailbox database for which we want to enable Exchange Impersonation. Again, from the command line, use the Add-ADPermission cmdlet. This example shows how to configure Exchange Impersonation for a user on all databases in an organization.

  • Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User Service-Account -ExtendedRights ms-Exch-EPI-May-Impersonate}
  • Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User syncuser -ExtendedRights ms-Exch-EPI-May-Impersonate}

Impersonation on an Exchange server for a user - It is also possible is to set the permissions on all users on a Server for which we want to enable Exchange Impersonation. From the command line, use the Add-ADPermission cmdlet. This example shows how to set the impersonation permissions on all Client Access servers in an Exchange organization.

  • Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity Service-Acount | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
  • Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity Syncuser | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

References: