Impersonation premission are removed by them self everyday

Hi All,

i have configured Impersonation on our Exchange 2007 with success and everything is working amazingly except for one out of 20 users which for some reason once or twice a day lose the Impersonation Premission (the command is below)

***
Add-ADPermission -Identity (Get-User -Identity “User5").DistinguishedName -User (Get-User -Identity "Imp-user").Identity -extendedRight ms-Exch-EPI-May-Impersonate
***

i know that its (lost) removed because of all of sudden the impresonation stops working and if i run the same command again its acts like it was never configured before

Identity             User                 Deny  Inherited Rights
--------             ----                 ----  --------- ------
User5       Imp-User                    False False     ms-Exch-EPI-May-Impersonate

and if i run the command again i get

"WARNING: Appropriate ACE is already present on object"


while if i run it after the impersonation stopps working it show again the

User5       Imp-User                    False False     ms-Exch-EPI-May-Impersonate
TufinAsked:
Who is Participating?
 
Simon Butler (Sembee)ConsultantCommented:
You shouldn't be mixing domain admin functionality with anything else.
Exchange and the domain will remove permissions from a domain admin.

You should have two accounts - a regular user account and a domain admin - the domain admin account isn't mail enabled.
Mail enabled domain admin accounts will have problems with permissions.

Simon.
0
 
Simon Butler (Sembee)ConsultantCommented:
Check permission inheritance is enabled on the user object in ADUC to begin with. I have seen some odd things happen if that is missing.

Simon.
0
 
TufinAuthor Commented:
where can i check that ?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
TufinAuthor Commented:
and what exactly can change those premissions?
0
 
Simon Butler (Sembee)ConsultantCommented:
On the security tab of the user in ADUC, there is an option to allow permission inheritance. It should be enabled.

Simon.
0
 
TufinAuthor Commented:
yes its enabled and i see that imp-user is in the security settings..

also i compared user5 with other users and they have imp-user permission

PS. User5 is a domain admin.. could this affect it some how?
0
 
TufinAuthor Commented:
fixed it .. thanksss
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.