cross-forest impersonation

I found this information for doing impersonation in a cross-forest organization

http://blogs.technet.com/b/exchange/archive/2008/04/18/3405388.aspx

http://social.technet.microsoft.com/Forums/en/exchange2010/thread/483ba24e-a6e1-4b1e-82be-ffa0aec6fd66

http://blog.powershell.no/2010/04/23/exchange-server-2010-cross-forest-migration/

http://blogs.msdn.com/b/exchangedev/archive/2009/06/15/exchange-impersonation-vs-delegate-access.aspx

 

Impersonate an mixed exchange 2k7 Server:

New-ManagementScope -Name "XCH2k7DOM2SCOPE" -RecipientRoot "DOM2.Domain.red/MY" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}




1. To allow a user to impersonation on a server:
ms-Exch-EPI-Impersonation is needed:

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity serviceAccount | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity  ServiceAccount | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

oder
Get-ClientAccessServer | Add-AdPermission -User serviceAccount -ExtendedRights ms-Exch-EPI-Impersonation
Get-ClientAccessServer | Add-AdPermission -User ServiceAccount -ExtendedRights ms-Exch-EPI-Impersonation




Get-ClientAccessServer | Get-Adpermission -User serviceAccount | Format-List *
Get-ClientAccessServer | Get-Adpermission -User ServiceAccount | Format-List *

Get-MailboxDatabase | Get-Adpermission -User serviceAccount | Format-List *
Get-MailboxDatabase | Get-Adpermission -User ServiceAccount | Format-List *

2. Give  the Impersonation to a user  by  apply the  ms-Exch-EPI-May-Impersonate permission:
Add-ADPermission -Identity "User2" -User serviceAccount -extendedRight ms-Exch-EPI-May-Impersonate
This procedure grants serviceAccount permission to impersonate User2
Add-ADPermission -Identity "User2" -User ServiceAccount  -extendedRight ms-Exch-EPI-May-Impersonate


To configure Exchange Impersonation for a user on a database  Mailbox2

Get-MailboxDatabase  ermittelt die aktuell existierenden Datenbanken!


Get-MailboxDatabase -Identity Mailbox2  | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User ServiceAccount -ExtendedRights ms-Exch-EPI-May-Impersonate}





Abfrage der Berechtigung:

Get-ExchangeServer -Identity DOM2X2K7 | Get-AdPermission -User ServiceAccount






***************************************************************




Zugriffsrechte für den Serviceaccount hinzufügen
Get-ClientAccessServer | Add-AdPermission -User serviceAccount '
-ExtendedRights ms-Exch-EPI-Impersonation
Get-MailboxDatabase | Add-AdPermission -User serviceAccount '
-ExtendedRights ms-Exch-EPI-May-Impersonate
serviceAccount ist dabei der Benutzeraccount in UPN Notation, den Sie zum Zugriff auf die
Postfächer aus MailStore heraus nutzen möchten. Bitte stellen Sie sicher, dass der Benutzeraccount
nicht Mitglied einer Gruppe mit administrativen Exchange- oder Windows-Rechten ist.

Zugriffsrechte prüfen
Get-ClientAccessServer | Get-Adpermission -User serviceAccount | Format-List *
Get-MailboxDatabase | Get-Adpermission -User serviceAccount | Format-List *

Zugriffsrechte entfernen
Get-ClientAccessServer | Remove-AdPermission -User serviceAccount -ExtendedRights ms-Exch-EPI-Impersonation
Get-MailboxDatabase | Remove-AdPermission -User serviceAccount -ExtendedRights ms-Exch-EPI-May-Impersonate