Summary
If RealTime Service wants to run and get proper access to calendar information on the Exchange Server, it has to be run under an account that has rights to impersonate other users.
Configuring Impersonation rights in Exchange Server 2007
a) Configure Exchange Impersonation for a user on a server
Open the Shell (Powershell/Exchange Management Shell). Run Add-ADPermission cmdlet to add the impersonation permissions on the server for the identified user.
For example, to grant User1 permission to impersonate all accounts on an Exchange Server named CAS-01, use the following command:
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity User1 | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
b) Configure Exchange Impersonation for a user on a specific user
Open the Shell. Run the Add-ADPermission Windows PowerShell command to add permission to impersonate an identified user.
For example, to grant User1 permission to impersonate User2, use the following command:
Add-ADPermission -Identity "User2" -User User1 -extendedRight ms-Exch-EPI-May-Impersonate
Configuring Impersonation rights in Exchange Server 2010
a) Configure Exchange Impersonation for all users in an organization
Open the Shell. Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate to the specified user.
For example, to configure Exchange Impersonation to enable a service account named “Administrator” to impersonate all other users in an organization, use the following command:
New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:Administrator
b) Configure Exchange Impersonation for specific users or groups of users
Open the Shell. Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned.
For example, to creates the AOC Databases scope and sets a database restriction filter that matches only the databases that begin with the string "SEA", use the following command:
New-ManagementScope -Name "AOC Databases" -DatabaseRestrictionFilter {Name -Like "SEA*" }
Remark: If an existing scope is available, you can skip this step. More details about management scope can be found here.
After that, run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope.
For example, the following command configures Exchange Impersonation to enable a service account named “Administrator” to impersonate all users in the AOC Databases scope:
New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:Administrator –CustomRecipientWriteScope:AOC Databases
Configuring Impersonation rights in Exchange Server 2013 and Exchange Online
Open the Shell by selecting: Start ⇒ All Programs ⇒ Microsoft Exchange Server 2013⇒ Exchange Management Shell.
To configure impersonation for all users in an organization
Run the New-ManagementRoleAssignment cmdlet to add the impersonation permission to the specified user. The following example shows how to configure impersonation to enable a service account to impersonate all other users in an organization.
New-ManagementRoleAssignment –name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount
To configure impersonation for specific users or groups of users
- Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. If an existing scope is available, you can skip this step. The following example shows how to create a management scope for a specific group.
New-ManagementScope –Name:scopeName –RecipientRestrictionFilter:recipientFilter
The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the members of the scope. You can use the properties of the Identity object to create the filter. The following example is a filter that restricts the result to a single user with the user name "john."
Name –eq "john"
- Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. The following example shows how to configure a service account to impersonate all users in a scope.
New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:scopeName
Properties
Reference: TFS #2262
Knowledge base ID: 0021
Last updated: Feb 23, 2016
Rolf Szimnau
Comments