Configuring Exchange Impersonation (Exchange Web Services)

Topic Last Modified: 2008-10-14

Exchange Impersonation enables a caller to impersonate a given account so that a caller can perform operations by using the permissions that are associated with the impersonated account instead of the permissions that are associated with the caller's account. Microsoft Exchange Server 2007 provides two Active Directory directory service extended permissions that are used to determine which callers can perform Exchange Impersonation calls and which accounts can be impersonated by the caller.

Prerequisites

The following prerequisites are required to configure Exchange Impersonation:

  • Administrative credentials for the computer that is running Exchange 2007 that has the Client Access server role installed
  • Domain Administrator credentials

Required Permissions

The following two Active Directory extended permissions are required in order to perform impersonation:

  • ms-Exch-EPI-Impersonation
  • ms-Exch-EPI-May-Impersonate

In addition to using Windows PowerShell, you can set these permissions by using Active Directory Sites and Services or the Active Directory Users and Computers user interfaces.

Important

The local computer account for the Client Access server must be a member of the Windows Authorization Access Group for Exchange Impersonation to work.

ms-Exch-EPI-Impersonation

The ms-Exch-EPI-Impersonation permission gives the caller the ability to submit an impersonation call through the Client Access server. This does not mean that the caller has permission to access any particular account. Permission to impersonate on a server is set on the security descriptor of the Server object in Active Directory. The calling account cannot be a member of any administrator group. This permission is explicitly denied to those groups. 

For information about how to set this permission, see "Procedure" later in this topic.

ms-Exch-EPI-May-Impersonate

After impersonation permissions are established on a server, the caller can be granted permission to a specific account or to any account in a mailbox database. The ms-Exch-EPI-May-Impersonate permission is used to grant the caller access to specific accounts.

Procedure

To configure Exchange Impersonation on a server for a user

  1. Open the Exchange Management Console.

  2. Run the Add-ADPermission cmdlet to add the impersonation permissions on the server for the identified user. The following example shows you how to set the impersonation permissions on all Client Access servers in an Exchange organization.

    Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity User1 | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
    

    Note

    This procedure grants User1 permission to impersonate all accounts on an Exchange Server named CAS-01.

To configure Exchange Impersonation for a user on a database

  1. Open the Exchange Management Console.

  2. Run the Add-ADPermission cmdlet to add the permission to impersonate all accounts in a mailbox database. The following example shows you how to configure Exchange Impersonation for a user on all databases in an organization.

    Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User User1 -ExtendedRights ms-Exch-EPI-May-Impersonate}
    

    Note

    After you run this cmdlet, the user can impersonate any user in the mailbox database unless the user's permissions are explicitly set to Deny.

To configure Exchange Impersonation for a user on an account

  1. Open Windows PowerShell.

  2. Run the Add-ADPermission Windows PowerShell command to add permission to impersonate User2. The following example shows you how to use this cmdlet.

    Add-ADPermission -Identity "User2" -User User1 -extendedRight ms-Exch-EPI-May-Impersonate
    

    Important

    This cmdlet provides access to an account that might not be a user who has a mailbox. The account may be a cross-forest contact who has permission to access another mailbox. For users who have mailboxes, you set the permission on the User object in the directory. For cross-forest contacts, you set the permission on the Contact object in the directory.
    Permissions can also be set on an account-by-account basis. Additionally, impersonate permissions that are set on a database can be overridden by setting ms-Exch-EPI-May-Impersonate permissions on an individual account. This procedure grants User1 permission to impersonate User2.

You can also use the dsquery commands to get the security identifier (SID) or Active Directory path for a User object or a Contact object.

Next Steps

After impersonation permissions have been established on the Server object and the User object, the user who has impersonation permissions can make calls against the other user's account. For information about how to use Exchange Impersonation in an Exchange Web Services request, see Using Exchange Impersonation (Exchange Web Services).