On Exchange 2007, is it possible to grant the ms-Exch-EPI-May-Impersonate extended right to an active directory security group such that our service account can Exchange impersonate only the user accounts that belong to the the security group? The following link has documentation on how to "configure Exchange Impersonation for a user on an account", but I'd prefer to be able to add or remove users from an Active Directory security group using "Active Directory Users and Computers" rather than having to manually add/remove users via the Add-ADPermission and Remove-ADPermission Exchange Management Shell commands. http://msdn.microsoft.com/en-us/library/bb204095(EXCHG.80).aspx Thanks, Greg

We have a 3rd party provided application that uses Exchange Web Services to do automated processing on user's mailboxes. I don't trust giving that application permisisons to all the mailboxes in the entire organization. The Add-ADPermission and Remove-ADPermission Exchange Managment Shell commands do allow me to restrict permissions such that the application service account can only access the mailboxes it needs to. However, I find using the Exchange Managment Shell commands awkward and tedious to use. I'd prefer to manage this, on a day to day basis, using an Active Directory security group. Thanks, Greg

We have a 3rd party provided application that uses Exchange Web Services to do automated processing on user's mailboxes. I don't trust giving that application permisisons to all the mailboxes in the entire organization. The Add-ADPermission and Remove-ADPermission Exchange Managment Shell commands do allow me to restrict permissions such that the application service account can only access the mailboxes it needs to. However, I find using the Exchange Managment Shell commands awkward and tedious to use. I'd prefer to manage this using an Active Directory security group. Thanks, Greg

Thank you for providing the explanation. Unfortunately you have to assign those types of rights (whether they are impersonate or mailbox access) either at the Org level, mailbox server level, database level, or individual mailbox level. Since you don't want to give this service account sweeping access to your users, you are pretty much limited to using the individual mailbox level permissions. A group is a collection of objects, and assigning permission changes to it won't affect the member objects in it. That being said you could still use the group to organize your changes by setting up a script as an automated task that performed a Get-Member on the group, and then apply the correct permissions to each individual mailbox that you want to have the impersonated rights. If you do this though, you will want to track who has the impersonated rights already so that as you remove users from the group, their permissions are cleaned up, and I like to track things like this using the CustomAttributes for reconciliation. My suggestion for the logic of such a script logic would be as follows: Check all users who have CustomAttribute15 set to "EWSImpersonation" for being members of the group. If they aren't in the group, undo the impersonation rights, blank CustomAttribute15, and add them to a "removed users" list. Check the membership of the group, and if any account doesn't have CustomAttribute15 set to "EWSImpersonation", add the permssion, set CustomAttribute15 to "EWSImpersonation", and add them to a "added users" list. Email yourself (or your team) the list of "removed users" and "added users" daily so that you know the process is still working (a sort of hearbeat), and so that you are keeping an eye on who is being added and removed (since you are concerned about the level of access this service account has). That's the best idea I have as far as automating this process while using a group (so that the hard part is done up front by writing the script), and you can run the script whenever you want but I would recommend doing it as a scheduled daily job at a minimum.

Thank you for the suggestions and information. --Greg