Sunday, August 26, 2007

Setting Permissions for Migration into Exchange 2007

If you've been through a migration into Exchange or just reading up on the intricacies of the process, you've seen a recurring theme: Permissions.


In both Exchange 2003 and 2007 the first problem you're likely to run into is setting permissions properly to insert calendar server data during a migration. The necessary permissions have changed in the past with various roll-ups and service packs and will undoubtedly change in the future.


As of the current Exchange 2007 release, you must set GenericAll, Send-As, Receive-As, and Impersonation using the Exchange Management Shell.

The following examples will create an account called ex2007@lab.sumatra.local with appropriate permissions on server “myServerName.” Of course you can create your own service account and must use your lab or production domain name.

Add-ADPermission -Identity "CN=myServerName,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=lab,DC=sumatra,DC=local" -User ex2007@lab.sumatra.local -AccessRights GenericAll -InheritanceType Descendents

Add-ADPermission -Identity "CN=myServerName,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=lab,DC=sumatra,DC=local" -User ex2007@lab.sumatra.local -ExtendedRights Send-As

Add-ADPermission -Identity "CN=myServerName,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=lab,DC=sumatra,DC=local" -User ex2007@lab.sumatra.local -ExtendedRights Receive-As

Add-ADPermission -Identity "CN=myServerName,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=lab,DC=sumatra,DC=local" -User ex2007@lab.sumatra.local -extendedRight ms-Exch-EPI-May-Impersonate

Add-ADPermission -Identity "CN=myServerName,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=lab,DC=sumatra,DC=local" -User ex2007@lab.sumatra.local -extendedRight ms-Exch-EPI-Impersonation.

You could also execute the commands this way:

Add-ADPermission -Identity "myServerName" -User ex2007@lab.sumatra.local -AccessRights GenericAll -InheritanceType Descendents

We add GenericAll because sometimes the service account needs additional permissions.

You should not add this account to any administrative groups, e.g., administrators, domain administrators, etc.

Impersonation in particular seems to be the source of a huge amount of problems.

4 comments:

Chris said...

Thank you for the great post. While the doc on the official Microsoft site failed (here: http://msdn2.microsoft.com/en-us/library/bb204095.aspx), yours worked perfectly.

chew said...

Add-ADPermission -Identity "ServerName" -User ex2007@lab.sumatra.local -AccessRights GenericAll -InheritanceType Descendents

gives me this:

"Add-ADPermission : The operation could not be performed because 'ServerName' matches multiple entries.
At line:1 char:17
+ add-adpermission <<<< -user besadmin -extendedrights receive-as"

Any idea how to narrow down the results for the server name without the FQDN of the server?

chew said...

Add-ADPermission -Identity "ServerName" -User ex2007@lab.sumatra.local -AccessRights GenericAll -InheritanceType Descendents

gives me this:

"Add-ADPermission : The operation could not be performed because 'ServerName' matches multiple entries.
At line:1 char:17
+ add-adpermission <<<< -user besadmin -extendedrights receive-as"

Any idea how to narrow down the results for the server name without the FQDN of the server?

Russ said...

Chew-
The other way to do this is to specify the distinguished name of the server using the the commandlet "(get-exchangeserver)"

e.g., for the server "myE2k7Server":

Add-ADPermission -Identity (get-exchangeserver -Identity myE2k7Server).DistinguishedName -User (Get-User -Identity ex2007@lab.sumatra.local | select-object).identity -extendedRight ms-Exch-EPI-May-Impersonate

-Russ