Hey guys, I have a primary domain where exchange 2007 resides on and i also have a child domain. I have a user that is on the child domain and i want to give that user impersonation rights on the exchange server residing on the primary domain. Is that possible? I'm using this exchange cmdlet: Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity CHILDDOMAIN\User | select-object).identity -extendedRights ms-Exch-EPI-Impersonation Running this cmdlet is giving me an error that says: Get-User: The operation could not be performed because object 'CHILDDOMAIN\User' could not be found on domain controller Any ideas? Thanks

What exactly is it you are attempting to accomplish? If it is what I am thinking, you cannot accomplish it in this way. Also, Add-ADPermission is an AD command and not an Exchange command. Just for the heck of it, have you tried to use Get-User DOMAIN\User to see if that worked just by itself? You may need to use the -DomainController option and point it to a DC in the child domain, or you may want to try using the UPN.

I am trying to give a sharepoint service account that is on the childdomain impersonation rights for exchange on the primarydomain. You can use Add-ADPermission in exchange shell because it is also related to exchange permissions. I tried using the same command for a user on the primarydomain and it worked just fine, but i still can't figure out if and how it works for a user on the childdomain. (I even tried using -DomainController to specify the childdomain DC). Thanks

Can you grant it through ADUC and ADSIEDIT? http://calendarservermigration.blogspot.com/2007/08/exchange-2007-impersonation-debugging.htmlJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Are these two domains in the same forest?

Yes they are, same forest.

Have you tried something simple, like Add-Adpermission -Identity <Name of an Exchange Server> -User ChildDomain\User -extendedRights ms-Exch-EPI-Impersonation ? Also, is the trust good between the two domains? Can you add users from domain A to domain B and vice versa?

Have tried: Get-ExchangeServer | where {$_.IsClientAccessServer-eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity User1 | select-object).identity -extendedRight ms-Exch-EPI-Impersonation} (where User1 is the user account)

Hi, the object is in another domain so you need to set the scope of your powershell to be able to read objects from entire forest. run the following cmdlet which will set the scope of powershell to entire forest. $AdminSessionADSettings.ViewEntireForest = $true once this is done run your command in the same firewall window to set impersonation permissions

read my last line as "once this is done run your command in the same powershell window to set impersonation permissions" dealing too much with firewall's today - Sorry for the typo