Microsoft Exchange management scope role

Microsoft Exchange 2016

To manually assign impersonation rights to the GFI OneConnect user account, run the following cmdlet in the Microsoft Exchange 2016 Management Shell.

New-ManagementRoleAssignment -name:<role_name> -Role:ApplicationImpersonation -User:<impersonator>

Replace the following entries with these values:

Replace <role_name> with a friendly name to the role being assigned, for example: impersonate_role
Replace <impersonator> with the username of the user which will run the GFI OneConnect services.

For example:

New-ManagementRoleAssignment –name:impersonate_role –Role:ApplicationImpersonation –User:OneConnectUser

Microsoft Exchange 2013 & 2010

To manually assign impersonation rights to the GFI OneConnect user account, you must first create a new management scope which groups all recipients that have a mailbox, and then create a new management role that allows a particular user to have impersonation rights on that management scope.

Run the following two cmdlets in the Microsoft Exchange Management Shell.

Step 1: Creating a new management scope

Run the following cmdlet to create a new management scope which groups all recipients that have a mailbox:

New-ManagementScope -name <scope_name> -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}

Replace <scope_name> with the name of the scope given for all user mailboxes.

For example:

New-ManagementScope -name user_mailboxes -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}

NOTE

If a management scope that covers all Microsoft Exchange mailboxes already exists, then you cannot create another similar scope that covers all mailboxes. In this case, either skip the above step and use the existing scope, or else remove the current scope before creating a new one. Use the Get-ManagementScope command to retrieve the list of management scopes and use Remove-ManagementScope command to remove an existing scope.

Step 2: Create a new management role

Run the following cmdlet to create a new management role which allows the GFI OneConnect user to have impersonation rights on the previously created management scope:

New-ManagementRoleAssignment -name <role_name> -role:ApplicationImpersonation -user <impersonator> -CustomRecipientWriteScope <scope_name>

Replace the following entries with these values:

Replace <role_name> with a friendly name to the role being assigned, for example: impersonate_role
Replace <impersonator> with the email address of the GFI OneConnect user.
Replace <scope_name> with the name of the scope specified in step 1 above, for example user_mailboxes

For example:

New-ManagementRoleAssignment -name impersonate_role -role:ApplicationImpersonation -user oneconnectuser@example.com -CustomRecipientWriteScope user_mailboxes

Exchange 2007

To manually assign impersonation rights to the GFI OneConnect user account, run the following two cmdlets in the Microsoft Exchange 2007 Management Shell.

Add-ADPermission -identity "MailboxA directory or folder on the mail server used for receipt, filing, and storing emails. Store" -User "<OneConnect_User>" -AccessRights GenericAll

Replace <OneConnect_User> with the domain and username of the user which will run the GFI OneConnect services.

For example:

Add-ADPermission –Identity "Mailbox Database" -User "example.com\oneconnectuser" –AccessRights GenericAll

Next, run the following cmdlet:

foreach ($exchangeServer in Get-ExchangeServer){if ($exchangeServer.ServerRole -match 'ClientAccess'){Add-ADPermission -Identity $exchangeServer.DistinguishedName -User '<OneConnect_User>' -ExtendedRights ms-Exch-EPI-Impersonation}}

Replace <OneConnect_User> with the domain and username of the user which will run the GFI OneConnect services.

For example:

Example: foreach ($exchangeServer in Get-ExchangeServer){if ($exchangeServer.ServerRole -match 'ClientAccess'){Add-ADPermission -Identity $exchangeServer.DistinguishedName -User 'example.com\oneconnectuser' -ExtendedRights ms-Exch-EPI-Impersonation}}