Configuring Exchange users with impersonation privileges

Exchange Impersonation allows a user to perform operations by using the permissions that are associated with the impersonated account instead of the permissions that are associated with the user's account.

If you are using Exchange Server, you must configure Exchange Impersonation for the Exchange domain user.

To configure an Exchange user with impersonation privileges:

In Exchange, create a new domain user. For example, nexj-sync@yourcorp.local.
Provide the new domain user with the required extended permissions.
Provide the following Active Directory extended permissions for all accounts that require synchronizing:
- ms-Exch-EPI-Impersonation
- ms-Exch-EPI-May-Impersonate
For example, run the following commands in the Exchange Management Shell to grant impersonation privileges to the sample nexj-sync account.
The following command configures Exchange Impersonation on a server for the user nexj-sync:
```
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-
ADPermission -Identity $_.distinguishedname -User (Get-User-Identity nexj-sync | select-
object).identity
-extendedRight ms-Exch-EPI-Impersonation
```
The following command configures Exchange Impersonation on all mailbox databases for the user nexj-sync:
```
Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.Distinguishedname 
-User nexj-sync -ExtendedRights ms-Exch-EPI-May-Impersonate}
```

Impersonation is now configured for the Exchange user.

Info

For more information, see the topic "Configuring Exchange Impersonation (Exchange Web Services)" on the MSDN web site at: https://msdn.microsoft.com/en-us/library/bb204095%28v=exchg.140%29.aspx .