Microsoft Exchange management scope role

All Files

Getting Started > Account permissions > Exchange management scope role

Microsoft Exchange management scope role

The account specified during the installation of the GFI OneConnect components, must be assigned a Microsoft Exchange management scope role that has access to all mailboxes (impersonation rights).

This management scope role is utilized by SyncManager to access the list of Microsoft Exchange mailbox names and synchronize them with the data center. It is also used by RecoveryManager to restore emails that were sent or received during an email outageRefers to a situation when the email server is down or offline., back into their Exchange mailboxes.

Microsoft Exchange 2016

To manually assign impersonation rights to the GFI OneConnect user account, run the following cmdlet in the Microsoft Exchange 2016 Management Shell.

New-ManagementRoleAssignment -name:<role_name> -Role:ApplicationImpersonation -User:<impersonator>

Replace the following entries with these values:

Replace <role_name> with a friendly name to the role being assigned, for example: impersonate_role
Replace <impersonator> with the username of the user which will run the GFI OneConnect services.

For example:

New-ManagementRoleAssignment –name:impersonate_role –Role:ApplicationImpersonation –User:OneConnectUser

Microsoft Exchange 2013 & 2010

To manually assign impersonation rights to the GFI OneConnect user account, you must first create a new management scope which groups all recipients that have a mailbox, and then create a new management role that allows a particular user to have impersonation rights on that management scope.

Run the following two cmdlets in the Microsoft Exchange Management Shell.

Step 1: Creating a new management scope

Run the following cmdlet to create a new management scope which groups all recipients that have a mailbox:

New-ManagementScope -name <scope_name> -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}

Replace <scope_name> with the name of the scope given for all user mailboxes.

For example:

New-ManagementScope -name user_mailboxes -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}

NOTE

If a management scope that covers all Microsoft Exchange mailboxes already exists, then you cannot create another similar scope that covers all mailboxes. In this case, either skip the above step and use the existing scope, or else remove the current scope before creating a new one. Use the Get-ManagementScope command to retrieve the list of management scopes and use Remove-ManagementScope command to remove an existing scope.

Step 2: Create a new management role

Run the following cmdlet to create a new management role which allows the GFI OneConnect user to have impersonation rights on the previously created management scope:

New-ManagementRoleAssignment -name <role_name> -role:ApplicationImpersonation -user <impersonator> -CustomRecipientWriteScope <scope_name>

Replace the following entries with these values:

Replace <role_name> with a friendly name to the role being assigned, for example: impersonate_role
Replace <impersonator> with the email address of the GFI OneConnect user.
Replace <scope_name> with the name of the scope specified in step 1 above, for example user_mailboxes

For example:

New-ManagementRoleAssignment -name impersonate_role -role:ApplicationImpersonation -user oneconnectuser@example.com -CustomRecipientWriteScope user_mailboxes

Exchange 2007

To manually assign impersonation rights to the GFI OneConnect user account, run the following two cmdlets in the Microsoft Exchange 2007 Management Shell.

Add-ADPermission -identity "MailboxA directory or folder on the mail server used for receipt, filing, and storing emails. Store" -User "<OneConnect_User>" -AccessRights GenericAll

Replace <OneConnect_User> with the domain and username of the user which will run the GFI OneConnect services.

For example:

Add-ADPermission –Identity "Mailbox Database" -User "example.com\oneconnectuser" –AccessRights GenericAll

Next, run the following cmdlet:

foreach ($exchangeServer in Get-ExchangeServer){if ($exchangeServer.ServerRole -match 'ClientAccess'){Add-ADPermission -Identity $exchangeServer.DistinguishedName -User '<OneConnect_User>' -ExtendedRights ms-Exch-EPI-Impersonation}}

Replace <OneConnect_User> with the domain and username of the user which will run the GFI OneConnect services.

For example:

Example: foreach ($exchangeServer in Get-ExchangeServer){if ($exchangeServer.ServerRole -match 'ClientAccess'){Add-ADPermission -Identity $exchangeServer.DistinguishedName -User 'example.com\oneconnectuser' -ExtendedRights ms-Exch-EPI-Impersonation}}

Try now, for free›