Impersonation premission are removed by them self everyday

Hi All,

i have configured Impersonation on our Exchange 2007 with success and everything is working amazingly except for one out of 20 users which for some reason once or twice a day lose the Impersonation Premission (the command is below)

***
Add-ADPermission -Identity (Get-User -Identity “User5").DistinguishedName -User (Get-User -Identity "Imp-user").Identity -extendedRight ms-Exch-EPI-May-Impersonate
***

i know that its (lost) removed because of all of sudden the impresonation stops working and if i run the same command again its acts like it was never configured before

Identity             User                 Deny  Inherited Rights
--------             ----                 ----  --------- ------
User5       Imp-User                    False False     ms-Exch-EPI-May-Impersonate

and if i run the command again i get

"WARNING: Appropriate ACE is already present on object"


while if i run it after the impersonation stopps working it show again the

User5       Imp-User                    False False     ms-Exch-EPI-May-Impersonate
TufinAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
You shouldn't be mixing domain admin functionality with anything else.
Exchange and the domain will remove permissions from a domain admin.

You should have two accounts - a regular user account and a domain admin - the domain admin account isn't mail enabled.
Mail enabled domain admin accounts will have problems with permissions.

Simon.
0
 
Simon Butler (Sembee)ConsultantCommented:
Check permission inheritance is enabled on the user object in ADUC to begin with. I have seen some odd things happen if that is missing.

Simon.
0
 
TufinAuthor Commented:
where can i check that ?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
TufinAuthor Commented:
and what exactly can change those premissions?
0
 
Simon Butler (Sembee)ConsultantCommented:
On the security tab of the user in ADUC, there is an option to allow permission inheritance. It should be enabled.

Simon.
0
 
TufinAuthor Commented:
yes its enabled and i see that imp-user is in the security settings..

also i compared user5 with other users and they have imp-user permission

PS. User5 is a domain admin.. could this affect it some how?
0
 
TufinAuthor Commented:
fixed it .. thanksss
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.