配置模拟Configure impersonation

了解如何使用 Exchange 命令行管理程序向服务帐户授予模拟角色。Learn how to grant the impersonation role to a service account by using the Exchange Management Shell.

模拟使呼叫者(如服务应用程序)能够模拟用户帐户。Impersonation enables a caller, such as a service application, to impersonate a user account. 呼叫者可以使用与模拟帐户关联的权限,而不是与呼叫者帐户相关联的权限来执行操作。The caller can perform operations by using the permissions that are associated with the impersonated account instead of the permissions associated with the caller's account.

Exchange Online、作为 Office 365 的一部分的 exchange Online 和从 Exchange 2013 开始的 Exchange 版本使用基于角色的访问控制(RBAC)为帐户分配权限。Exchange Online, Exchange Online as part of Office 365, and versions of Exchange starting with Exchange 2013 use role-based access control (RBAC) to assign permissions to accounts. Exchange server 管理员需要向任何服务帐户授予将使用get-managementroleassignment cmdlet 模拟其他用户ApplicationImpersonation角色的服务帐户。Your Exchange server administrator will need to grant any service account that will be impersonating other users the ApplicationImpersonation role by using the New-ManagementRoleAssignment cmdlet.

配置 ApplicationImpersonation 角色Configuring the ApplicationImpersonation role

当您或您的交换器服务器管理员分配ApplicationImpersonation角色时,请使用get-managementroleassignment cmdlet 的以下参数:When you or your Exchanger server administrator assigns the ApplicationImpersonation role, use the following parameters of the New-ManagementRoleAssignment cmdlet:

  • 名称 –角色分配的友好名称。Name – The friendly name of the role assignment. 每次分配角色时,都会在 "RBAC 角色" 列表中进行输入。Each time that you assign a role, an entry is made in the RBAC roles list. 您可以使用get-managementroleassignment cmdlet 验证角色分配。You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet.

  • 角色 –要分配的 RBAC 角色。Role – The RBAC role to assign. 设置模拟时,请分配ApplicationImpersonation角色。When you set up impersonation, you assign the ApplicationImpersonation role.

  • 用户 –服务帐户。User – The service account.

  • CustomRecipientScope –服务帐户可以模拟的用户的范围。CustomRecipientScope – The scope of users that the service account can impersonate. 仅允许服务帐户模拟指定范围内的其他用户。The service account will only be allowed to impersonate other users within the specified scope. 如果未指定作用域,则会为服务帐户授予对组织中所有用户的ApplicationImpersonation角色。If no scope is specified, the service account is granted the ApplicationImpersonation role over all users in an organization. 您可以使用new-managementscope cmdlet 创建自定义管理作用域。You can create custom management scopes by using the New-ManagementScope cmdlet.

您需要先执行以下操作,然后才能配置模拟:Before you can configure impersonation, you need:

  • Exchange 服务器的管理凭据。Administrative credentials for the Exchange server.

  • 域管理员凭据,或其他具有创建和分配角色和作用域的权限的凭据。Domain Administrator credentials, or other credentials with the permission to create and assign roles and scopes.

  • Exchange 管理工具。Exchange management tools. 这些命令将安装在要运行命令的计算机上。These are installed on the computer from which you will run the commands.

为组织中的所有用户配置模拟To configure impersonation for all users in an organization

  1. 打开 Exchange 命令行管理程序。Open the Exchange Management Shell. 从 "开始" 菜单中All Programs,选择 " > Microsoft Exchange Server 2013的所有程序"。From the Start menu, choose All Programs > Microsoft Exchange Server 2013.

  2. 运行get-managementroleassignment cmdlet 以将模拟权限添加到指定的用户。Run the New-ManagementRoleAssignment cmdlet to add the impersonation permission to the specified user. 下面的示例演示如何将模拟配置为使服务帐户能够模拟组织中的所有其他用户。The following example shows how to configure impersonation to enable a service account to impersonate all other users in an organization.

    New-ManagementRoleAssignment -name:impersonationAssignmentName -Role:ApplicationImpersonation -User:serviceAccount 
    

为特定用户或用户组配置模拟To configure impersonation for specific users or groups of users

  1. 打开 Exchange 命令行管理程序。Open the Exchange Management Shell. 从 "开始" 菜单中All Programs,选择 " > Microsoft Exchange Server 2013的所有程序"。From the Start menu, choose All Programs > Microsoft Exchange Server 2013.

  2. 运行new-managementscope cmdlet 以创建可向其分配模拟角色的作用域。Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. 如果现有范围可用,则可以跳过此步骤。If an existing scope is available, you can skip this step. 下面的示例演示如何为特定组创建管理作用域。The following example shows how to create a management scope for a specific group.

     New-ManagementScope -Name:scopeName -RecipientRestrictionFilter:recipientFilter
    

    New-managementscope Cmdlet 的_RecipientRestrictionFilter_参数定义作用域的成员。The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the members of the scope. 您可以使用Identity对象的属性来创建筛选器。You can use the properties of the Identity object to create the filter. 下面的示例是一个筛选器,它将结果限制为用户名称为 "john" 的单个用户。The following example is a filter that restricts the result to a single user with the user name "john."

    Name -eq "john"
    
  3. 运行get-managementroleassignment cmdlet 以添加模拟指定作用域的成员的权限。Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. 下面的示例演示如何配置服务帐户以模拟作用域中的所有用户。The following example shows how to configure a service account to impersonate all users in a scope.

     New-ManagementRoleAssignment -Name:impersonationAssignmentName -Role:ApplicationImpersonation -User:serviceAccount -CustomRecipientWriteScope:scopeName
    
    

管理员授予模拟权限后,您可以使用服务帐户对其他用户的帐户进行呼叫。After your administrator grants impersonation permissions, you can use the service account to make calls against other users' accounts. 您可以使用get-managementroleassignment cmdlet 验证角色分配。You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet.

另请参阅See also