HOW TO: Configure Exchange 2010 Impersonation for a Group of Users

Sometimes assigning “Full Access” permissions in Exchange is not possible due to company security policy. So we need a flexible way to set “ApplicationImpersonation” permission for connecting user to cover a specific list of users (synchronized mailboxes) in Exchange.

 

Solution

MS Exchange allows more fine-grained with help of “ApplicationImpersonation” role and customizable Management Scopes. It is possible to manage the list of users with help of Exchange Distribution Groups. So if synchronization should be enabled/disabled for a specific user then it should be added/removed from the execution group correspondingly.

 

Step 1: Add Distribution Group

Add distribution group to contain users for sync:

image

 

image

Here we create a group named “crmAEsync”. We will need this group later.

image

 

Step 2: Add Users Belonging to the Group

Right click on the group and choose “Properties…”:

image

 

Switch to “Memebers” tab and choose “Add”:

image

 

Add users:

image

 

Step 3: Configure ManagementScope

Now you need to use “Exchange Management Shell”:

image

 

Here is the script that should be executed.

$groupidentity = $(Get-DistributionGroup crmAEsync).Identity.DistinguishedName

New-ManagementScope –Name:"CRMSyncScope" –RecipientRestrictionFilter "MemberOfGroup -eq '$groupidentity'"

New-ManagementRoleAssignment –Name:"CRMSyncRole"  –Role:ApplicationImpersonation –User:<username> –CustomRecipientWriteScope:"CRMSyncScope"

 

Where <username> is login name of user connecting to CRM. This user will be able to impersonate everyone from the distribution group.