I found this information for doing impersonation in a cross-forest organization
http://blogs.technet.com/b/exchange/archive/2008/04/18/3405388.aspx
http://social.technet.microsoft.com/Forums/en/exchange2010/thread/483ba24e-a6e1-4b1e-82be-ffa0aec6fd66
http://blog.powershell.no/2010/04/23/exchange-server-2010-cross-forest-migration/
http://blogs.msdn.com/b/exchangedev/archive/2009/06/15/exchange-impersonation-vs-delegate-access.aspx
Impersonate an mixed exchange 2k7 Server:
New-ManagementScope -Name "XCH2k7DOM2SCOPE" -RecipientRoot "DOM2.Domain.red/MY" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}
1. To allow a user to impersonation on a server:
ms-Exch-EPI-Impersonation is needed:
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity serviceAccount | select-object).identity
-extendedRight ms-Exch-EPI-Impersonation}
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity ServiceAccount |
select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
oder
Get-ClientAccessServer | Add-AdPermission -User serviceAccount -ExtendedRights ms-Exch-EPI-Impersonation
Get-ClientAccessServer | Add-AdPermission -User ServiceAccount -ExtendedRights ms-Exch-EPI-Impersonation
Get-ClientAccessServer | Get-Adpermission -User serviceAccount | Format-List *
Get-ClientAccessServer | Get-Adpermission -User ServiceAccount | Format-List *
Get-MailboxDatabase | Get-Adpermission -User serviceAccount | Format-List *
Get-MailboxDatabase | Get-Adpermission -User ServiceAccount | Format-List *
2. Give the Impersonation to a user by apply the ms-Exch-EPI-May-Impersonate permission:
Add-ADPermission -Identity "User2" -User serviceAccount -extendedRight ms-Exch-EPI-May-Impersonate
This procedure grants serviceAccount permission to impersonate User2
Add-ADPermission -Identity "User2" -User ServiceAccount -extendedRight ms-Exch-EPI-May-Impersonate
To configure Exchange Impersonation for a user on a database Mailbox2
Get-MailboxDatabase ermittelt die aktuell existierenden Datenbanken!
Get-MailboxDatabase -Identity Mailbox2 | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User ServiceAccount -ExtendedRights ms-Exch-EPI-May-Impersonate}
Abfrage der Berechtigung:
Get-ExchangeServer -Identity DOM2X2K7 | Get-AdPermission -User ServiceAccount
***************************************************************
Zugriffsrechte für den Serviceaccount hinzufügen
Get-ClientAccessServer | Add-AdPermission -User serviceAccount '
-ExtendedRights ms-Exch-EPI-Impersonation
Get-MailboxDatabase | Add-AdPermission -User serviceAccount '
-ExtendedRights ms-Exch-EPI-May-Impersonate
serviceAccount ist dabei der Benutzeraccount in UPN Notation, den Sie zum Zugriff auf die
Postfächer aus MailStore heraus nutzen möchten. Bitte stellen Sie sicher, dass der Benutzeraccount
nicht Mitglied einer Gruppe mit administrativen Exchange- oder Windows-Rechten ist.
Zugriffsrechte prüfen
Get-ClientAccessServer | Get-Adpermission -User serviceAccount | Format-List *
Get-MailboxDatabase | Get-Adpermission -User serviceAccount | Format-List *
Zugriffsrechte entfernen
Get-ClientAccessServer | Remove-AdPermission -User serviceAccount -ExtendedRights ms-Exch-EPI-Impersonation
Get-MailboxDatabase | Remove-AdPermission -User serviceAccount -ExtendedRights ms-Exch-EPI-May-Impersonate