HOW TO: Configure Exchange 2010 Impersonation for a Group of Users

Sometimes assigning “Full Access” permissions in Exchange is not possible due to company security policy. So we need a flexible way to set “ApplicationImpersonation” permission for connecting user to cover a specific list of users (synchronized mailboxes) in Exchange.



MS Exchange allows more fine-grained with help of “ApplicationImpersonation” role and customizable Management Scopes. It is possible to manage the list of users with help of Exchange Distribution Groups. So if synchronization should be enabled/disabled for a specific user then it should be added/removed from the execution group correspondingly.


Step 1: Add Distribution Group

Add distribution group to contain users for sync:




Here we create a group named “crmAEsync”. We will need this group later.



Step 2: Add Users Belonging to the Group

Right click on the group and choose “Properties…”:



Switch to “Memebers” tab and choose “Add”:



Add users:



Step 3: Configure ManagementScope

Now you need to use “Exchange Management Shell”:



Here is the script that should be executed.

$groupidentity = $(Get-DistributionGroup crmAEsync).Identity.DistinguishedName

New-ManagementScope –Name:"CRMSyncScope" –RecipientRestrictionFilter "MemberOfGroup -eq '$groupidentity'"

New-ManagementRoleAssignment –Name:"CRMSyncRole"  –Role:ApplicationImpersonation –User:<username> –CustomRecipientWriteScope:"CRMSyncScope"


Where <username> is login name of user connecting to CRM. This user will be able to impersonate everyone from the distribution group.