Setting up Impersonation Rights in Exchange 2007 and 2010 for the Symantec Email Submission Client (SESC)

book

Article ID: 156696

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange Messaging Gateway

Issue/Introduction

This document describes the process to assign the required Application Impersonation rights to the service account used by SESC service.

Resolution

Impersonation rights are required for an SESC service account user. The impersonation right enables the service account to access the mailbox on selected exchange mailbox server in the user scope. It also enables the service account to create folders for submission and read submitted emails from these folders. You can use any of the following commands to provide impersonation rights: The service account user must have the Application Impersonation (RBAC) right.

You can run the following command from Exchange PowerShell (Exchange Management Shell) to provide this permission:

Exchange 2010

New-ManagementRoleAssignment -Name SESCApplicationImpersonationRole -Role ApplicationImpersonation -User <serviceAccountName>

(Replace <serviceAccountName> with the SESC service account you created earlier and run as one command)

The following is an example providing the role to the account sesc01:


New-ManagementRoleAssignment -Name SESCApplicationImpersonationRole -Role ApplicationImpersonation -User sesc01

Exchange 2007

The service account user must have the following permissions:
■ Ms-Exch-EPI-Impersonation
■ Ms-Exch-EPI-May-Impersonate

You can run the following command from Exchange PowerShell to provide this permission:

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity User1 | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

(Replace User1 with the SESC service account you created earlier and run as one command)


Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User User1 -ExtendedRights ms-Exch-EPI-May-Impersonate}

(Replace User1 with the SESC service account you created earlier and run as one command)


For more information, see http://msdn.microsoft.com/en-us/library/bb204095(v=exchg.80).aspx