Microsoft Exchange Impersonation configuration greatly depends on how your Exchange server is set up. The steps below will enable you to create the most basic impersonation setup. If you require a more customized configuration, please consult your Exchange administrator.  

General Principles

Parameters

The following six parameters are required when using the Exchange ESA:

Parameters


How to Check Connection to LDAP

Use ldapsearch from the OpenLDAP project to check the connection from  to LDAP. The example below shows a connection to LDAP with different ports and user formats.  can use all of these formats. 

user@userhome ~ $ 
LDAPTLS_REQCERT=allow ldapsearch -H "ldap://xwin.home.local:389" -D 
"Administrator" -w xxx -b "dc=home,dc=local" -s sub 
"(mail=Administrator@home.local)" mail
# extended LDIF
#
# LDAPv3
# base <dc=home,dc=local> with scope subtree
# filter: (mail=Administrator@home.local)
# requesting: mail
#

# Administrator, Users, home.local
dn: CN=Administrator,CN=Users,DC=home,DC=local
mail: Administrator@home.local

# search reference
ref: ldap://ForestDnsZones.home.local/DC=ForestDnsZones,DC=home,DC=local

# search reference
ref: ldap://DomainDnsZones.home.local/DC=DomainDnsZones,DC=home,DC=local

# search reference
ref: ldap://home.local/CN=Configuration,DC=home,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3
user@userhome
 ~ $ LDAPTLS_REQCERT=allow ldapsearch -H "ldaps://xwin.home.local:636"
 -D "Administrator" -w xxx -b "dc=home,dc=local" -s sub 
"(mail=Administrator@home.local)" mail
# extended LDIF
#
# LDAPv3
# base <dc=home,dc=local> with scope subtree
# filter: (mail=Administrator@home.local)
# requesting: mail
#

# Administrator, Users, home.local
dn: CN=Administrator,CN=Users,DC=home,DC=local
mail: Administrator@home.local

# search reference
ref: ldaps://ForestDnsZones.home.local/DC=ForestDnsZones,DC=home,DC=local

# search reference
ref: ldaps://DomainDnsZones.home.local/DC=DomainDnsZones,DC=home,DC=local

# search reference
ref: ldaps://home.local/CN=Configuration,DC=home,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3
user@userhome
 ~ $ LDAPTLS_REQCERT=allow ldapsearch -H "ldaps://xwin.home.local:636"
 -D "Administrator@home.local" -w xxx -b "dc=home,dc=local" -s sub 
"(mail=Administrator@home.local)" mail
# extended LDIF
#
# LDAPv3
# base <dc=home,dc=local> with scope subtree
# filter: (mail=Administrator@home.local)
# requesting: mail
#

# Administrator, Users, home.local
dn: CN=Administrator,CN=Users,DC=home,DC=local
mail: Administrator@home.local

# search reference
ref: ldaps://ForestDnsZones.home.local/DC=ForestDnsZones,DC=home,DC=local

# search reference
ref: ldaps://DomainDnsZones.home.local/DC=DomainDnsZones,DC=home,DC=local

# search reference
ref: ldaps://home.local/CN=Configuration,DC=home,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3
user@userhome
 ~ $ LDAPTLS_REQCERT=allow ldapsearch -H "ldap://xwin.home.local:389" 
-D "CN=Administrator,CN=Users,DC=home,DC=local" -w xxx -b 
"dc=home,dc=local" -s sub "(mail=Administrator@home.local)" mail
# extended LDIF
#
# LDAPv3
# base <dc=home,dc=local> with scope subtree
# filter: (mail=Administrator@home.local)
# requesting: mail
#

# Administrator, Users, home.local
dn: CN=Administrator,CN=Users,DC=home,DC=local
mail: Administrator@home.local

# search reference
ref: ldap://ForestDnsZones.home.local/DC=ForestDnsZones,DC=home,DC=local

# search reference
ref: ldap://DomainDnsZones.home.local/DC=DomainDnsZones,DC=home,DC=local

# search reference
ref: ldap://home.local/CN=Configuration,DC=home,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

Scripts

Run the following scripts in PowerShell:

ms-Exch-EPI-Impersonation - Granting Impersonation Rights to the Administrator

The ms-Exch-EPI-Impersonation permission gives the administrator the ability to submit an impersonation call. 

C:\>C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe -PSConsoleFile
"C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command
"Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} |
ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User
(Get-User -Identity Administrator | select-object).identity
-extendedRight ms-Exch-EPI-Impersonation}" 
Identity  User               Deny  Inherited Rights
--------  ----               ----  --------- ------
MYADM     HOME\Administrator False False     ms-Exch-EPI-Impersonation

ms-Exch-EPI-May-Impersonate - Granting Permission to Impersonate a Specific User or Account

After impersonation permissions are established on a server, the administrator can be granted permission to impersonate a specific account or any account in a mailbox database.

The ms-Exch-EPI-May-Impersonate permission is used to grant the caller access to specific accounts.

The following script allows the administrator to impersonate any account found in the mailbox database at the time of the script run: 

C:\>C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe -PSConsoleFile
"C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command
"Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity
$_.DistinguishedName -User Administrator -ExtendedRights
ms-Exch-EPI-May-Impersonate}" 
Identity        User               Deny  Inherited Rights
--------        ----               ----  --------- ------
MYADM\First ... HOME\Administrator False False     ms-Exch-EPI-May-Impersonate 

This script grants the same permission for a specific user: 

 C:\>C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe -PSConsoleFile
"C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command
"Add-ADPermission -Identity 'John Doe' -User Administrator
-extendedRight ms-Exch-EPI-May-Impersonate" 
Identity      User               Deny  Inherited Rights
--------      ----               ----  --------- ------
foe.local/... HOME\Administrator False False     ms-Exch-EPI-May-Impersonate 

You need to run these or similar scripts for new accounts when they are created with the need to be synchronized. It is possible to add this script to the scheduler to run periodically; for example as often as  synchronization is run.

Define and Restrict Impersonation Users in the Organization

Your company may not wish to sync all users of the organization to the impersonation user - in these cases, the user must not have the ManagementRoleAssignment without any filter. 

  1. To prevent this, use the Get-ManagementRoleAssignment and Remove-ManagementRoleAssigned commands if necessary to restrict the role assignment of the user with impersonation. 
  2. Next, create a custom filter for selected users. See here for more information about the syntax. 
    1. For example, to create a custom filter for all users apart from "QQQ", use New-ManagementScope –Name:allExceptQQQ –RecipientRestrictionFilter:recipientFilter {Name -ne "QQQ"}.
  3. Introduce the ManagementRoleAssignment, using a defined custom restriction.
    1. Using the example above, this could be New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:allExceptQQQ.

At this point, the  Exchange ESA will be configured to impersonate all users in the organization apart from the user with name QQQ. Depending on the SKIP_NON_IMPERSONIZED_USERS configuration variable, the user "QQQ" will either be retrieved - without contacts and events - or just skipped at sync time. 

Related articles