I recently shared my excitement about EWSEditor tool and today wanted to continue this topic and talk more about Exchange impersonation. This is special AD level permission that allows user to come in via EWS and access somebody else’s mailbox – much like Full Mailbox Access (Receive-As) via MAPI. Just exactly what you need during migration.
The following two Active Directory extended permissions are required in order to perform impersonation:
• ms-Exch-EPI-Impersonation
The ms-Exch-EPI-Impersonation permission gives the caller the ability to submit an impersonation call through the Client Access server. This does not mean that the caller has permission to access any particular account. Permission to impersonate on a server is set on the security descriptor of the Server object in Active Directory. The calling account cannot be a member of any administrator group. This permission is explicitly denied to those groups.
• ms-Exch-EPI-May-Impersonate
After impersonation permissions are established on a server, the caller can be granted permission to a specific account or to any account in a mailbox database. The ms-Exch-EPI-May-Impersonate permission is used to grant the caller access to specific accounts.
IMPORTANT: The local computer account for the Client Access server must be a member of the Windows Authorization Access Group for Exchange Impersonation to work.
There are two separate procedures for enabling Application Impersonation rights in order to grant ms-Exch-EPI-Impersonation and ms-Exch-EPI-May-Impersonate required extended permissions. After impersonation permissions have been established on the Server object and the User object, the user who has impersonation permissions can make calls against the other user’s account.
To grant Impersonation rights in Microsoft Exchange 2007
I. Configure Exchange Impersonation on a CAS server(s) for Admin Migration user AdminMig.
1. Open the Exchange Management Console.
2. Run the Add-ADPermission cmdlet to add the impersonation permissions on the server for the identified user. The following example shows you how to set the impersonation permissions on all Client Access servers in an Exchange organization.
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity AdminMig | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
This procedure grants user AdminMig permission to impersonate accounts on all Exchange 2007 CAS Servers.
II. Configure Exchange Impersonation for Admin Migration account AdminMig on all to be migrated mailboxes.
1. Open the Exchange Management Console.
2. Run the Add-ADPermission cmdlet to add the permission to impersonate all accounts in a mailbox database. The following example shows you how to configure Exchange Impersonation for a user on all databases in an organization.
Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User User1 -ExtendedRights ms-Exch-EPI-May-Impersonate}
OR Run the Add-ADPermission Windows PowerShell command to add permission to impersonate single account UserToMigrate. The following example shows you how to use this cmdlet.
Add-ADPermission -Identity “UserToMigrate” -User AdminMig -extendedRight ms-Exch-EPI-May-Impersonate
Here are some command-let examples of how to validate that permissions were granted properly (substitute account names where applicable):
1. To validate ms-exch-Impersonation right on the CAS server(s):
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Get-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity AdminMig | select-object).identity} | fl
2. To validate ms-Exch-EPI-May-Impersonate:
a) If access was granted to the individual mailboxes
get-mailbox -Identity testemail1 | get-adpermission -user AdminMig | fl
b) If access was granted to the entire database – here you can also see that ms-exch-Impersonation right was inherited from the server down to the MDB level but you need to look for ms-Exch-EPI-May-Impersonate
Get-MailboxDatabase | ForEach-Object {get-ADPermission -Identity $_.DistinguishedName -User AdminMig} | fl
To grant Impersonation rights in Microsoft Exchange 2010
Microsoft Exchange Server 2010 uses Role-Based Access Control (RBAC) to assign permissions to accounts. You can use the New-ManagementRoleAssignment Exchange Management Shell cmdlet to assign the ApplicationImpersonation role to users in the organization with the following parameters:
• Name – The friendly name of the role assignment. Each time you assign a role, an entry is made in the RBAC roles list. You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet. For more information, see Get-ManagementRoleAssignment on TechNet.
• Role – The RBAC role to assign. When you set up Exchange Impersonation, you assign the ApplicationImpersonation role.
• User – The impersonating identity.
• CustomRecipientScope – The scope of users that the impersonating user can impersonate. The impersonating user will only be allowed to impersonate other users within a specified scope. If no scope is specified, the user is granted the ApplicationImpersonation role over all users in an organization. You can create custom management scopes using the New-ManagementScope cmdlet.
To configure Exchange Impersonation for all users in an organization:
1. Open the Exchange Management Shell.
2. Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate to the specified user. The following example shows how to configure Exchange Impersonation to enable a service account to impersonate all other users in an organization.
New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount
To configure Exchange Impersonation for specific users or groups of users:
1. Open the Exchange Management Shell.
2. Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. If an existing scope is available, you can skip this step. The following example shows how to create a management scope for a specific group.
New-ManagementScope –Name:scopeName –RecipientRestrictionFilter:recipientFilter
3. Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. The following example shows how to configure Exchange Impersonation to enable a service account to impersonate all users in a scope.
New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:scopeName
The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the members of the scope. You can use properties of the Identity object to create the filter. The following example is a filter that restricts the result to a single user with the user name “john.”
Name –eq ‘john’
