locked
Setting Management Scope for AD Group not working in Exchange 2016 RRS feed

  • Question

  • Hello All!


    I am trying to setup impersonation on Exchange 2016, and I have used the following script:


    $<ImpersonationDN> = $(Get-Group "<GroupName>").Identity.DistinguishedName
    
    New-ManagementScope -Name "ScopeName" –RecipientRestrictionFilter  "MemberOfGroup -eq '$<ImpersonationDN'>"
    
    New-ManagementRoleAssignment –Name:Impersonation_Role –Role:ApplicationImpersonation –User:<Impersonation_UserName> –CustomRecipientWriteScope: ScopeName
    
    

    The issue I am having is even though a user is NOT part of the group defined in the Management Scope, impersonation is working for that user.

    Am I missing something or is there a setting somewhere that needs to be checked?

    Thank You!

    /cherie


    Thursday, November 16, 2017 6:04 AM

All replies

  • Full Access permissions also allow the user to "impersonate" others, so check for that. And of course check for any other assignments for the Impersonation role, there is no way he can get Impersonation permissions otherwise.
    Thursday, November 16, 2017 7:47 AM