Objective
Prerequisite
Steps
Get-ManagementRoleAssignment -RoleAssignee "$account_name" -Role ApplicationImpersonation -RoleAssigneeType user
Replace $account_name with the name of the Exchange administrator account.
New-ManagementRoleAssignment -Name:$impersonation_Assignment_Name -Role:ApplicationImpersonation -User: "$account_name"
Replace $impersonation_Assignment_Name with a unique name for this operation.
Note: You can exclude the $impersonation_Assignment_Name section of the cmdlet and a unique assignment name will be generated automatically.
The administrator account has now been provided with impersonation rights for all users. You can also limit the administrator’s impersonation rights to users of any AD group by defining a new management scope.
To limit an administrator’s impersonation rights to a specific set of users, follow the steps below.
$ADGroup = Get-DistributionGroup -Identity "$group_name"
New-ManagementScope "$scope_name" -RecipientRestrictionFilter "MemberOfGroup -eq '$($ADGroup.DistinguishedName)'"
Replace $group_name with the name of the AD group and $scope_name with a unique name of your choice for the scope.
Set-ManagementRoleAssignment "$impersonation_Assignment_Name" -CustomRecipientWriteScope "$scope_name"
The administrator has now been provided impersonation rights to the member of the selected AD group.
Revoking impersonation rights:
To remove the impersonation rights provided to an administrator at any point, execute this cmdlet.
Get-ManagementRoleAssignment -RoleAssignee "$account_name" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment