Announcement

Collapse
No announcement yet.

Apply Exchange Impersonation rights per-database (2010)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Apply Exchange Impersonation rights per-database (2010)

    Hi there,

    I am running an Exchange 2010 server in a lab environment which needs to support multiple individuals' labs. We all have our own AD domains (not trusted, separate forests). SO far I'm trying to get this setup to support my domain (CYLAB which the Exchange server is joined to) and a colleague's lab (PLLAB).

    What I need to do is create an "admin" user for each colleague's domain in my domain, which will have impersonation rights over some other users which I've created for that colleague to use as mailboxes on the server. In AD, I've created OUs for each of the other domains and put the "mailbox users" into those OUs. In Exchange, I've created separate mailbox databases and added those users to it.

    For example, the "admin" user for PLLAB is CYLAB\icadminpl and there are also pluser1, pluser2... pluser5. These are all in the PLLAB OU in AD and the PLLAB mailbox database in Exchange.

    What I want to do is grant icadminpl impersonation rights over the mailboxes in the PLLAB database only and not any other mailboxes. Ideally I also want to configure this once so that any new mailboxes added to that database inherit those permissions, but that's less important.

    Code:
    [PS] C:\Windows\system32>Get-MailboxDatabase
    
    Name                           Server          Recovery        ReplicationType
    ----                           ------          --------        ---------------
    Mailbox Database 1889640392    LLAREGGUB       False           None
    PLLAB                          LLAREGGUB       False           None
    CYLAB                          LLAREGGUB       False           None
    
    
    [PS] C:\Windows\system32>
    From Googling around, all I've really been able to come across is

    Code:
    New-ManagementRoleAssignment -Name:FriendlyAssignmentName -Role:ApplicationImpersonation -User:serviceAccount
    (that one being from http://risualblogs.com/blog/tag/exchange-2010/)

    But it looks like this is going to apply the rights to every mailbox. If I try to filter it based on the PLLAB database, then I get an error.

    Code:
    [PS] C:\Windows\system32>Get-MailboxDatabase 'PLLAB' | New-ManagementRoleAssignment -Name:'PLLABImpersonation' -Role:App
    licationImpersonation -User:icadminpl
    The input object cannot be bound to any parameters for the command either because the command does not take pipeline in
    put or the input and its properties do not match any of the parameters that take pipeline input.
        + CategoryInfo          : InvalidArgument: (PLLAB:PSObject) [New-ManagementRoleAssignment], ParameterBindingExcept
       ion
        + FullyQualifiedErrorId : InputObjectNotBound,New-ManagementRoleAssignment
    
    [PS] C:\Windows\system32>
    Would somebody be able to suggest something, please?
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

  • #2
    Re: Apply Exchange Impersonation rights per-database (2010)

    I just found this article http://first-call.tamu.edu/gui2/help...C91FD954650000

    Taking a backup, will post back shortly with results.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Apply Exchange Impersonation rights per-database (2010)

      I ran script 2 from that article:

      Code:
      [PS] C:\Windows\system32>Get-MailboxDatabase "PLLAB" | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -
      User icadminpl -ExtendedRights ms-Exch-EPI-May-Impersonate}
      WARNING: The appropriate access control entry is already present on the object "CN=PLLAB,CN=Databases,CN=Exchange
      Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=CYLAB,CN=Microsoft
      Exchange,CN=Services,CN=Configuration,DC=cylab,DC=lan" for account "CYLAB\icadminpl".
      
      Identity             User                 Deny  Inherited
      --------             ----                 ----  ---------
      PLLAB                CYLAB\icadminpl      False False
      However when I try to access pluser1's mailbox as icadminpl using EWS Editor, I am still told that the account does not have the required impersonation rights.

      Code:
      Exception details:
      Message: The account does not have permission to impersonate the requested user.
      Type: Microsoft.Exchange.WebServices.Data.ServiceResponseException
      Source: Microsoft.Exchange.WebServices
      ErrorCode: ErrorImpersonateUserDenied
      ErrorMessage: The account does not have permission to impersonate the requested user.
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: Apply Exchange Impersonation rights per-database (2010)

        On a recommendation from an associate, I tried

        Code:
        Get-MailboxDatabase "PLLAB" | Add-ADPermission -User "icadminpl" -AccessRights ExtendedRight -ExtendedRights ms-Exch-EPI-Impersonation
        However, icadminpl still does not have impersonation rights over pluser1 according to EWS Editor.

        Edit: Also tried
        Code:
        Get-MailboxDatabase "PLLAB" | Add-ADPermission -User "icadminpl" -AccessRights ExtendedRight -ExtendedRights ms-Exch-EPI-May-Impersonate
        Last edited by gforceindustries; 6th November 2012, 16:05.
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: Apply Exchange Impersonation rights per-database (2010)

          A further update - I've found some more information and it looks like I can create a Management Scope based on the mailbox databases, then assign impersonation rights to a user based on a specific scope.

          http://msdn.microsoft.com/en-us/libr...xchg.140).aspx

          http://technet.microsoft.com/en-us/l...XCHG.140).aspx

          http://technet.microsoft.com/en-us/l.../dd335137.aspx
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: Apply Exchange Impersonation rights per-database (2010)

            I was really optimistic that this would have solved it.

            Code:
            New-ManagementScope -Name "PLLAB Database" -DatabaseRestrictionFilter {Name -Like "PLLAB"}
            Code:
            New-ManagementRoleAssignment -Name:"PLLAB Impersonation" -Role:ApplicationImpersonation -User:icadminpl -CustomRecipientWriteScope:"PLLAB Database"
            However, icadminpl still does not have impersonation rights over members of the PLLAB database.

            I'd really appreciate any thoughts that anybody has.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: Apply Exchange Impersonation rights per-database (2010)

              Hi there,

              Sorry to bump, but I was wondering if anybody had any thoughts on this? I really don't know what else to try here, I've not been able to find anything else online.

              Thanks!
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

              Comment


              • #8
                Re: Apply Exchange Impersonation rights per-database (2010)

                Hello there.

                We opened a support case with Microsoft in the end. The database scope not working it appears is a bug in Exchange 2010 SP2; the support engineer is investigating this internally to get us a solution. As a workaround, we've created scopes based on OUs in Active Directory instead. Since all of the mailboxes in the PLLAB database (for example) are associated to the users in the PLLAB Users OU, this gives us basically the same functionality.

                Code:
                New-ManagementScope -Name "PLLABOU" -RecipientRoot "cylab.lan/PLLAB Users" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}
                
                New-ManagementRoleAssignment -Name "PLLABImpersonation" -Role "ApplicationImpersonation" -User "icadminpl" -CustomRecipientWriteScope "PLLABOU"
                I'll update further when we hear more information regarding the bug and a fix for it.
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: Apply Exchange Impersonation rights per-database (2010)

                  Hi Gareth,

                  I tried some of the things you tried too before i stumbled upon this post. Customer is running Exchange 2010 SP2, and the databaserestrictionfilter doesn't seem to apply (just as you discovered too).

                  Did MS give you a solution, or did you just end up filtering on the OU instead?

                  Did they mention if this bug was fixed in SP3?

                  Thanks in advance

                  Comment


                  • #10
                    Re: Apply Exchange Impersonation rights per-database (2010)

                    I upgraded the server to SP3, same issue. The MS tech reported that it also is the case on 2013.

                    In any case, they called the other day to state that they were closing the issue as unresolved. I had the same conversation with the technician followed by his supervisor, but each time they first tried to state that this is by design. I questioned this since

                    a) why would they implement a database restriction filter that can't restrict by the database you filter by
                    b) what therefore is the intended purpose of the database scope?

                    They could not answer either question and were therefore forced to concede that this might be a bug

                    This is a "known issue" that they have seen at other customers, however there is no KB for the issue as of yet. I was assured however that they will keep me posted with any developments including an explanation of how this can be considered "by design", or when the "maybe bug" will be fixed.

                    With apologies if the above sounded a little cynical

                    So yes, for now we have no option except to filter by OU.
                    Gareth Howells

                    BSc (Hons), MBCS, MCP, MCDST, ICCE

                    Any advice is given in good faith and without warranty.

                    Please give reputation points if somebody has helped you.

                    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                    Comment

                    Working...
                    X