Impersonation with ExMixedFolders
How to work with impersonation using ExMixedFolders?
If you are using password policy in which the user have to change the password on each month, you may need to use impersonation with ExMixedFolders.
With impersonation one user gets the ability to act as another user. With this you can create one user as a service user for ExMixedFolders who can access data from others. This user can be removed from the password policy.
To add the rights to the service user you can follow these steps:
The service user needs to get the right ms-Exch-EPI-Impersonation by powershell. Every user to which's data the service user wants to have access you should give ms-exch-epi-may-impersonate.
Everything you need to know about it, you can read directly on the corresponding Microsoft page about EWS API: http://msdn.microsoft.com/en-us/library/bb204095(v=exchg.80).aspx
Exchange 2010/2013/2016/Exchange Online, Office365:
Option 1 (Exchange Admin Center):
Create a new user, which we use in ExMixedFolders in order to connect to others Mailboxes. ( e.g. EWSService )
Add that user to the group "Organization Management". Members of this group have access to other users mailboxes if they are added to the "ApplicationImpersonation" rule as we see in the next picture.
In Exchange Admin Center you find Permissions=>Administrative Roles a rule named "ApplicationImpersonation" which gives you the opportunity to impersonate users.
Go these steps in order to add this function:
1. Create a new administrative rule group.
2. Enter name and add "ApplicationImpersonation" as a rule.
3. Add our serviceuser ( EWSService ) which will have access to other users Mailboxes by ExMixedFolders.
You can do this action by "Active Directory Users and Computers" as well.
Option 2 (Exchange Management Console):
Every user on witch's data the service user wants to have access should grouped together on an scope. You can do it on the power shell by "New-ManagemantScope" command.
New-ManagementScope -name:ImpGroup1 -RecipientRestrictionFilter:"Name -eq 'testuser1' -or Name -eq 'testuser2'"
Every scope has to assigned to a ManagemetRole. You can do that with "New-ManagementAssignment".
New-ManagementRoleAssignment -Name:ImpRuleAss1 -Role:ApplicationImpersonation -User:'email@example.com' -CustomRecipientWriteScope:ImpGroup1
ExMixedFolders can create this script for you. In order to do this, you should have at minuimum one Serviceconnection with Impersonation on and one Synctask with one inserted user you want to impersonate. After ExMixedFolders has this information, you can get the script by rightclick on the Serverconnectionspane and choose "Commands to configure Impersonation". You can enter these scipt, after it's reviewed, into your Exchange Management Console.