If you've been through a migration into Exchange or just reading up on the intricacies of the process, you've seen a recurring theme: Permissions.
In both Exchange 2003 and 2007 the first problem you're likely to run into is setting permissions properly to insert calendar server data during a migration. The necessary permissions have changed in the past with various roll-ups and service packs and will undoubtedly change in the future.
As of the current Exchange 2007 release, you must set GenericAll, Send-As, Receive-As, and Impersonation using the Exchange Management Shell.
The following examples will create an account called ex2007@lab.sumatra.local with appropriate permissions on server “myServerName.” Of course you can create your own service account and must use your lab or production domain name.
Add-ADPermission -Identity "CN=myServerName,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=lab,DC=sumatra,DC=local" -User ex2007@lab.sumatra.local -AccessRights GenericAll -InheritanceType Descendents
Add-ADPermission -Identity "CN=myServerName,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=lab,DC=sumatra,DC=local" -User ex2007@lab.sumatra.local -ExtendedRights Send-As
Add-ADPermission -Identity "CN=myServerName,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=lab,DC=sumatra,DC=local" -User ex2007@lab.sumatra.local -ExtendedRights Receive-As
Add-ADPermission -Identity "CN=myServerName,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=lab,DC=sumatra,DC=local" -User ex2007@lab.sumatra.local -extendedRight ms-Exch-EPI-May-Impersonate
Add-ADPermission -Identity "CN=myServerName,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=lab,DC=sumatra,DC=local" -User ex2007@lab.sumatra.local -extendedRight ms-Exch-EPI-Impersonation.
You could also execute the commands this way:
Add-ADPermission -Identity "myServerName" -User ex2007@lab.sumatra.local -AccessRights GenericAll -InheritanceType Descendents
We add GenericAll because sometimes the service account needs additional permissions.
You should not add this account to any administrative groups, e.g., administrators, domain administrators, etc.
Impersonation in particular seems to be the source of a huge amount of problems.
Subscribe to:
Post Comments (Atom)
4 comments:
Thank you for the great post. While the doc on the official Microsoft site failed (here: http://msdn2.microsoft.com/en-us/library/bb204095.aspx), yours worked perfectly.
Add-ADPermission -Identity "ServerName" -User ex2007@lab.sumatra.local -AccessRights GenericAll -InheritanceType Descendents
gives me this:
"Add-ADPermission : The operation could not be performed because 'ServerName' matches multiple entries.
At line:1 char:17
+ add-adpermission <<<< -user besadmin -extendedrights receive-as"
Any idea how to narrow down the results for the server name without the FQDN of the server?
Add-ADPermission -Identity "ServerName" -User ex2007@lab.sumatra.local -AccessRights GenericAll -InheritanceType Descendents
gives me this:
"Add-ADPermission : The operation could not be performed because 'ServerName' matches multiple entries.
At line:1 char:17
+ add-adpermission <<<< -user besadmin -extendedrights receive-as"
Any idea how to narrow down the results for the server name without the FQDN of the server?
Chew-
The other way to do this is to specify the distinguished name of the server using the the commandlet "(get-exchangeserver)"
e.g., for the server "myE2k7Server":
Add-ADPermission -Identity (get-exchangeserver -Identity myE2k7Server).DistinguishedName -User (Get-User -Identity ex2007@lab.sumatra.local | select-object).identity -extendedRight ms-Exch-EPI-May-Impersonate
-Russ
Post a Comment