Microsoft Exchange Impersonation configuration greatly depends on how your Exchange server is set up. The steps below will enable you to create the most basic impersonation setup. If you require a more customized configuration, please consult your Exchange administrator.
The following six parameters are required when using the Exchange ESA:
Use ldapsearch from the OpenLDAP project to check the connection from to LDAP. The example below shows a connection to LDAP with different ports and user formats. can use all of these formats.
|
Run the following scripts in PowerShell:
The ms-Exch-EPI-Impersonation permission gives the administrator the ability to submit an impersonation call.
C:\>C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe -PSConsoleFile "C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command "Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity Administrator | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}" Identity User Deny Inherited Rights -------- ---- ---- --------- ------ MYADM HOME\Administrator False False ms-Exch-EPI-Impersonation |
After impersonation permissions are established on a server, the administrator can be granted permission to impersonate a specific account or any account in a mailbox database.
The ms-Exch-EPI-May-Impersonate permission is used to grant the caller access to specific accounts.
The following script allows the administrator to impersonate any account found in the mailbox database at the time of the script run:
C:\>C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe -PSConsoleFile "C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command "Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User Administrator -ExtendedRights ms-Exch-EPI-May-Impersonate}" Identity User Deny Inherited Rights -------- ---- ---- --------- ------ MYADM\First ... HOME\Administrator False False ms-Exch-EPI-May-Impersonate |
This script grants the same permission for a specific user:
C:\>C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe -PSConsoleFile "C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command "Add-ADPermission -Identity 'John Doe' -User Administrator -extendedRight ms-Exch-EPI-May-Impersonate" Identity User Deny Inherited Rights -------- ---- ---- --------- ------ foe.local/... HOME\Administrator False False ms-Exch-EPI-May-Impersonate |
You need to run these or similar scripts for new accounts when they are created with the need to be synchronized. It is possible to add this script to the scheduler to run periodically; for example as often as synchronization is run.
Your company may not wish to sync all users of the organization to the impersonation user - in these cases, the user must not have the ManagementRoleAssignment
without any filter.
Get-ManagementRoleAssignment
and Remove-ManagementRoleAssigned
commands if necessary to restrict the role assignment of the user with impersonation. New-ManagementScope –Name:allExceptQQQ –RecipientRestrictionFilter:recipientFilter {Name -ne "QQQ"}.
New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:allExceptQQQ
.At this point, the Exchange ESA will be configured to impersonate all users in the organization apart from the user with name QQQ. Depending on the SKIP_NON_IMPERSONIZED_USERS
configuration variable, the user "QQQ" will either be retrieved - without contacts and events - or just skipped at sync time.
Related articles |