Configuring Exchange Impersonation in Exchange 2010
Last modified: October 21, 2009
Applies to: Exchange Server 2007 | Exchange Server 2010
Exchange Impersonation enables a caller to impersonate a given user account. This enables the caller to perform operations by using the permissions that are associated with the impersonated account, instead of the permissions that are associated with the caller's account.
Microsoft Exchange Server 2010 uses Role-Based Access Control (RBAC) to assign permissions to accounts. You can use the New-ManagementRoleAssignment Exchange Management Shell cmdlet to assign the ApplicationImpersonation role to users in the organization. For more information about this cmdlet, see New-ManagementRoleAssignment on Microsoft TechNet.
When you assign the ApplicationImpersonation role, use the following parameters of the New-ManagementRoleAssignment cmdlet:
Name – The friendly name of the role assignment. Each time you assign a role, an entry is made in the RBAC roles list. You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet. For more information, see Get-ManagementRoleAssignment on TechNet.
Role – The RBAC role to assign. When you set up Exchange Impersonation, you assign the ApplicationImpersonation role.
User – The impersonating identity.
CustomRecipientScope – The scope of users that the impersonating user can impersonate. The impersonating user will only be allowed to impersonate other users within a specified scope. If no scope is specified, the user is granted the ApplicationImpersonation role over all users in an organization. You can create custom management scopes using the New-ManagementScope cmdlet. For more information about this cmdlet, see New-ManagementScope on Microsoft TechNet.
The following prerequisites are required to configure Exchange Impersonation:
Administrative credentials for the computer that is running Exchange 2010 that has the Client Access server role installed.
Domain Administrator credentials, or other credentials with the permission to create and assign roles and scopes.
Remote PowerShell installed on the computer from which you will run the commands.
To configure Exchange Impersonation for all users in an organization
Open the Exchange Management Shell.
Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate to the specified user. The following example shows how to configure Exchange Impersonation to enable a service account to impersonate all other users in an organization.
New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount
To configure Exchange Impersonation for specific users or groups of users
Open the Exchange Management Shell.
Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. If an existing scope is available, you can skip this step. The following example shows how to create a management scope for a specific group.
New-ManagementScope –Name:scopeName –RecipientRestrictionFilter:recipientFilter
Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. The following example shows how to configure Exchange Impersonation to enable a service account to impersonate all users in a scope.
New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:scopeName
The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the members of the scope. You can use properties of the Identity object to create the filter. The following example is a filter that restricts the result to a single user with the user name "john."
Name –eq 'john'
After impersonation permissions have been established, the user who has impersonation permissions can make calls against the other user's account. For information about how to use Exchange Impersonation in an Exchange Web Services request, see Using Exchange Impersonation in Exchange 2010.