Exchange Impersonation allows a user to perform operations by using the permissions that are associated with the impersonated account instead of the permissions that are associated with the user's account.
If you are using Exchange Server, you must configure Exchange Impersonation for the Exchange domain user.
To configure an Exchange user with impersonation privileges:
- In Exchange, create a new domain user. For example, nexj-sync@yourcorp.local.
- Provide the new domain user with the required extended permissions.
Provide the following Active Directory extended permissions for all accounts that require synchronizing:- ms-Exch-EPI-Impersonation
- ms-Exch-EPI-May-Impersonate
For example, run the following commands in the Exchange Management Shell to grant impersonation privileges to the sample nexj-sync account.
The following command configures Exchange Impersonation on a server for the user nexj-sync:
POWERSHELL
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-
ADPermission -Identity $_.distinguishedname -User (Get-User-Identity nexj-sync | select-
object).identity
-extendedRight ms-Exch-EPI-Impersonation
The following command configures Exchange Impersonation on all mailbox databases for the user nexj-sync:
POWERSHELL
Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.Distinguishedname
-User nexj-sync -ExtendedRights ms-Exch-EPI-May-Impersonate}
Impersonation is now configured for the Exchange user.
