Impersonation rights for Exchange Server

Note: EdbMails application will automatically set Impersonation rights. If the automatic configuration is not successful then the appropriate
message will be displayed to set the rights manually.

Note:
1. If the login through administrator user fails then try to impersonate any other User.
2. Make sure the impersonated user account has impersonation permissions to each associated Mailbox (Users). That's, impersonated user should have impersonation permissions to all associated Mailboxes.

 

Execute the below commands on your Exchange Management Shell (Run as Administrator)

Step 1:

a. If you are getting error in Exchange Management shell as shown below, You need to enter the FQDN.

fqdn-request

b. Follow the below steps to get the FQDN

On the Windows Taskbar, click Start > Programs > Administrative Tools > Active Directory Domains and Trusts.

In the left pane of the Active Directory Domains and Trusts dialog box, look under Active Directory Domains and Trusts. The FQDN for the computer or computers is listed.

fqdn-number

c. Connection to the Exchange Server is established

fqdn-success

Step 2:

Command: Copy & Paste it on EMS

Set-ExecutionPolicy Unrestricted

Result:
live-admin-account

Step 3:

Command: Copy & Paste it on EMS

Enable-OrganizationCustomization

Ignore this results, if the error is "This operation is not required. Organization is already enabled for customization."

Result:
live-enable-organization

Step 4:

Command: Copy & Paste it on EMS & change User

New-ManagementRoleAssignment -Role "ApplicationImpersonation" -User administrator@domain.com

Result:
live-management-roles


Note: Click here to know the steps to set Impersonation rights using GUI

Configure Exchange Impersonation for a user on a server

Open the Shell (Powershell/Exchange Management Shell). Run Add-ADPermission cmdlet to add the impersonation permissions on the server for the identified user.

For example, to grant User1 permission to impersonate all accounts on an Exchange Server named CAS-01, use the following command:

Command: Copy & Paste it on EMS

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity User1 | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

Configure Exchange Impersonation for a user on a specific user

Open the Shell. Run the Add-ADPermission Windows PowerShell command to add permission to impersonate an identified user.

For example, to grant User1 permission to impersonate User2, use the following command:

Command: Copy & Paste it on EMS

Add-ADPermission -Identity "User2" -User User1 -extendedRight ms-Exch-EPI-May-Impersonate