Share via


Impersonation in the times of RBAC

 

So your organization migrated to Exchange Server 2010, and you thought you’d take that opportunity to leverage Role Based Access Control to limit Impersonation rights of your service account to a select set of users by creating a ManagementScope that would filtering the relevant users on the basis of, say, their membership to a Service/Distribution Group, or any other relevant filterable properties, by executing the elementary set of cmdlets here.

 

So you went ahead and created a Security Group, say “Impersonated Users”, and created a Management Scope called “ImpersonationScope” to filter out all the users who are members of “Impersonated Users”, say with something like this:

New-ManagementScope -Name:ImpersonationScope -RecipientRestrictionFilter: {MemberOfGroup -eq "Impersonated Users"}

Then you went ahead and provisioned impersonation rights to your Service Account, say ServAccount, allowing him to impersonate all the members within the above scope, with something like this:

New-ManagementRoleAssignment –Name:impersonationAssignment –Role:ApplicationImpersonation –User:ServAccount –CustomRecipientWriteScope:ImpersonationScope

 

Then you went ahead and fired up your good old, super-reliable, tried and tested application, and lo behold, it tells you…

Message: The account does not have permission to impersonate the requested user.
Type: Microsoft.Exchange.WebServices.Data.ServiceResponseException
Source: Microsoft.Exchange.WebServices
ErrorCode: ErrorImpersonateUserDenied
ErrorMessage: The account does not have permission to impersonate the requested user.

*Grrrr*! What could we possibly be doing wrong here? You go ahead and repeat the entire process, just to be very sure, but nothing helps.

Then you fire up your browser, and open up your favourite Search Engine, type in a random assortment of keywords, say “Impersonation Exchange 2010 RBAC Security Group Awesome Blog” and lo behold, you land up here.

So what exactly could we be doing wrong?

It so happens that in the process of enhancing the awesomeness of Exchange Server 2010 (with the uber-cool RBAC), we sort-of, kind-of didn’t configure it to completely comprehend what [Insert-Your-Equivalent-of-Security-Group-Impersonated-Users-Here] is referring to, as documented here. In light of this, umm, situation the work-around (not so much of a work-around but a rather perfectionist way of approaching it) would be to specify the Active Directory Distinguished Name of the group while creating the Management Scope (This elusive ADDN can be found through a pretty nifty tool called ADSI Edit).

The revised New-ManagemetScope cmdlet would look as follows:

New-ManagementScope -Name:ImpersonationScope -RecipientRestrictionFilter: {MemberOfGroup -eq "CN=Impersonated Users,CN=Users,DC=yourserver,DC=com"}

And lo behold, it works!

So give it a run, and have a bit of fun.
Holler in the comments if your deed isn’t done.

Comments

  • Anonymous
    May 13, 2014
    Awesome, that worked. I will now forget about the 3 lost days trying to figure out why just the group name wasn't working.

  • Anonymous
    March 18, 2015
    The command you gave is incorrect because users should not be CN= but should be OU=. Here it is corrected. New-ManagementScope -Name:ImpersonationScope -RecipientRestrictionFilter: {MemberOfGroup -eq "CN=Impersonated Users,OU=Users,DC=yourserver,DC=com"}