Hello all, A customer of ours needed a superaccount on their Exchange server which could access all email boxes and send mail as every mail user. About a month ago I was testing with our test Exchange 2007 server, I did manage to set this up back then and was happily sending email as other (test)users and browsing their mailboxes without configuring anything on their accounts. Yesterday my colleague at the customer wanted to create this superaccount on the customer's server as well but when trying to use other mailboxes by connecting to it by EWS (webservices), he kept getting this error (a server 500 exception?) : <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Header><t:ServerVersionInfo MajorVersion="8" MinorVersion="1" MajorBuildNumber="240" MinorBuildNumber="5" Version="Exchange2007_SP1" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" /></soap:Header><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>The server to which the application is connected cannot impersonate the requested user due to insufficient permission.</faultstring><detail><e:ResponseCode xmlns:e="http://schemas.microsoft.com/exchange/services/2006/errors">ErrorImpersonationDenied</e:ResponseCode><e:Message xmlns:e="http://schemas.microsoft.com/exchange/services/2006/errors">The server to which the application is connected cannot impersonate the requested user due to insufficient permission.</e:Message></detail></soap:Fault></soap:Body></soap:Envelope> Now I've tried to reproduce this error and this worked a bit too well: I am actually unable to make new superaccounts work for myself again, I created about 4 new superaccounts but I've been unable to get them access to the other testaccounts and I keep getting the same error as my colleague. I don't remember what I did the first time to make it work and I can't seem to find any difference between the old superaccount and the new ones. I even deleted my working superaccount in a desperate attempt to find out what the issue was, thinking there might be a restriction in the amount of possible superaccounts. As far as I know, I performed these steps when first creating the superaccount: -Added a mailbox in the Exchange Management Console (In recipient configuration, Mailbox), selected to use a new account for this and just followed the steps. -Went to Active Directory Users & Computers, went to Microsoft Exchange Security Groups, selected properties of the Exchange Organisation Administrators group, selected the 'members' tab and added this newly created superaccount to this group. Apparantly this wasn't all I did though, since I performed these steps again but am still unable to make this work again. Am I missing a step here? Any help would be great.

I found the solution.. I performed this command in the Exchange Management Shell: Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity superaccount | select-object).identity -extendedRight ms-Exch-EPI-Impersonation} (superaccount being the name of the superaccount, obviously) If anyone knows a more user-friendly way to do this, please let me know.