Written by Thomas Speekenbrink
This article will describe which steps are required to set a user with impersonation rights for Exchange 2007 On Premise.
The following prerequisites are required to configure Exchange Impersonation:
- Administrative credentials for the Server that is running Exchange 2007
- Server must have Client Access server role installed
- Domain Administrator credentials
The following two Active Directory extended permissions are required in order to perform impersonation:
In addition to using Windows PowerShell, you can set these permissions by using Active Directory Sites and Services or the Active Directory Users and Computers user interfaces.
Note: The local computer account for the Client Access server must be a member of the Windows Authorization Access Group for Exchange Impersonation to work.
Configure Exchange Impersonation for a user on a database
- Open the Exchange Management Shell.
- Run the Add-ADPermission cmdlet to add the permission to impersonate all accounts in a mailbox database. The following example shows you how to configure Exchange Impersonation for a user on all databases in an organization:
- Get-ExchangeServer | Add-ADPermission -User DOMAIN\USERNAME -extendedRights ms-Exch-EPI-Impersonation -InheritanceType none
- Get-MailboxDatabase | Add-ADPermission -User DOMAIN\USERNAME -extendedRights ms-Exch-EPI-May-Impersonate -InheritanceType none
- Restart the 'Microsoft Exchange Information Store'-service to immediately apply the new permissions.
Note: After you run this cmdlet, the user can impersonate any user in the mailbox database unless the user's permissions are explicitly set to Deny.
To configure Exchange Impersonation for a user on an account
- Open Windows PowerShell.
- Run the Add-ADPermission Windows PowerShell command to add permission to impersonate User2. The following example shows you how to use this cmdlet:
- Add-ADPermission -Identity "User2" -User User1 -extendedRight ms-Exch-EPI-May-Impersonate
Note: This cmdlet provides access to an account that might not be a user who has a mailbox. The account may be a cross-forest contact who has permission to access another mailbox. For users who have mailboxes, you set the permission on the User object in the directory. For cross-forest contacts, you set the permission on the Contact object in the directory.
Permissions can also be set on an account-by-account basis. Additionally, impersonate permissions that are set on a database can be overridden by setting ms-Exch-EPI-May-Impersonate permissions on an individual account. This procedure grants User1 permission to impersonate User2.
You can also use the dsquery commands to get the security identifier (SID) or Active Directory path for a User object or a Contact object.