locked
Exchange 2007 Experts - Impersonate user help please RRS feed

  • Question

  • Hello,

    We use Exhcange 2007 (2 x CAS & 2 x MBX servers)

    We have 2 issues:

    1.)

    We are trying to get our a hosted CRM sysem called ForceManager to Impersonate some users.  What is strange I create a new user and then run these commands and Exchange accepts them:

    Add-ADPermission -Identity "forcetest" -User "forcemgnsync" -ExtendedRights ms-Exch-EPI-May-Impersonate

    WARNING: Appropriate ACE is already present on object
    "CN=forcetest,OU=Test,OU=Spain,DC=contoso,DC=local" for account
    "CONTOSO\forcemgnsync".

    Identity             User                 Deny  Inherited Rights
    --------             ----                 ----  --------- ------
    CONTOSO.LOCAL/Spain... CONTOSO\forcemgnsync    False False     ms-Exch-EPI-May-Im...


    Get-Mailbox -Identity forcetest | Get-ADPermission -User forcemgnsync | fl


    User                : CONTOSO\forcemgnsync
    Identity            : CONTOSO.LOCAL/Spain/Test/forcetest
    Deny                : False
    AccessRights        : {ExtendedRight}
    ExtendedRights      : {ms-Exch-EPI-May-Impersonate}
    IsInherited         : False
    Properties          :
    ChildObjectTypes    :
    InheritedObjectType :
    InheritanceType     : All

    User                : CONTOSO\forcemgnsync
    Identity            : CONTOSO.LOCAL/Spain/Test/forcetest
    Deny                : False
    AccessRights        : {ExtendedRight}
    ExtendedRights      : {ms-Exch-EPI-Impersonation}
    IsInherited         : False
    Properties          :
    ChildObjectTypes    :
    InheritedObjectType :
    InheritanceType     : All

    But ForceManager say the account still doesn't have rights to impersonate, any ideas?

    2.)

    If I try the same commands on an existing user (have tried many) it can't even find them:

    Add-ADPermission -Identity "bill" -User "forcemgnsync" -ExtendedRights ms-Exch-EPI-May-Impersonate

    Add-ADPermission : bill was not found. Please make sure you have typed it correctly.
    At line:1 char:17
    + Add-ADPermission <<<<  -Identity "bill" -User "forcemgnsync" -ExtendedRights
     ms-Exch-EPI-May-Impersonate
        + CategoryInfo          : NotSpecified: (0:Int32) [Add-ADPermission], ManagementObjectNotFoundException
        + FullyQualifiedErrorId : D5B1825B,Microsoft.Exchange.Management.Recipient
       Tasks.AddADPermission

    Hope you guys can help, I'm really struggling as I'm not really an Exchange guy.

    Regards


    • Edited by TB303 Friday, June 13, 2014 12:06 PM
    Thursday, June 12, 2014 11:01 AM

Answers

  • Why not start with "get-mailbox bill"? If that works, just pipe the result into the Add-ADPermission cmdlet (leaving off the -Indentity parameter).

    --- Rich Matheisen MCSE&I, Exchange MVP

    Thursday, June 12, 2014 3:08 PM

All replies

  • Why not start with "get-mailbox bill"? If that works, just pipe the result into the Add-ADPermission cmdlet (leaving off the -Indentity parameter).

    --- Rich Matheisen MCSE&I, Exchange MVP

    Thursday, June 12, 2014 3:08 PM
  • Let me try this.

    Regarding question 1 does it look like I'm doing the right thing when allowing a user to impersonate another? 


    Friday, June 13, 2014 11:48 AM
  • same issue, trying with another user via the CAS servers:

    get-mailbox anovo

    Name             Alias            ServerName       ProhibitSendQuo
                                                                    ta
    ----             -----            ----------       ---------------
    Alejandro Novo   anovo            ccf-exch-vmbx    unlimited

    Add-ADPermission anovo -User "forcemgnsync" -ExtendedRights ms-Exch-EPI-May-Impersonate
    Add-ADPermission : anovo was not found. Please make sure you have typed it corr
    ectly.
    At line:1 char:17
    + Add-ADPermission <<<<  anovo -User "forcemgnsync" -ExtendedRights ms-Exch-EPI
    -May-Impersonate
        + CategoryInfo          : NotSpecified: (0:Int32) [Add-ADPermission], Mana
       gementObjectNotFoundException
        + FullyQualifiedErrorId : D5B1825B,Microsoft.Exchange.Management.Recipient
       Tasks.AddADPermission

    Friday, June 13, 2014 11:55 AM
  • Ah full name works, I was using alias.

    Still confused with the impersonation side of things though.

    Friday, June 13, 2014 12:07 PM
  • I guess I'd have to ask in return why you'd want to do that.

    Is there a problem with just giving the other person "Full Mailbox Access" and "Send As" permission?


    --- Rich Matheisen MCSE&I, Exchange MVP

    Friday, June 13, 2014 6:35 PM
  • The suggested "Get-Mailbox anovo" | Add-ADPermission . . ."  would have avoided that "not found" problem.

    --- Rich Matheisen MCSE&I, Exchange MVP

    Friday, June 13, 2014 6:37 PM