?
Solved

Impersonation premission are removed by them self everyday

Posted on 2013-11-07
7
Medium Priority
?
180 Views
Last Modified: 2013-11-18
Hi All,

i have configured Impersonation on our Exchange 2007 with success and everything is working amazingly except for one out of 20 users which for some reason once or twice a day lose the Impersonation Premission (the command is below)

***
Add-ADPermission -Identity (Get-User -Identity “User5").DistinguishedName -User (Get-User -Identity "Imp-user").Identity -extendedRight ms-Exch-EPI-May-Impersonate
***

i know that its (lost) removed because of all of sudden the impresonation stops working and if i run the same command again its acts like it was never configured before

Identity             User                 Deny  Inherited Rights
--------             ----                 ----  --------- ------
User5       Imp-User                    False False     ms-Exch-EPI-May-Impersonate

and if i run the command again i get

"WARNING: Appropriate ACE is already present on object"


while if i run it after the impersonation stopps working it show again the

User5       Imp-User                    False False     ms-Exch-EPI-May-Impersonate
0
Comment
Question by:Tufin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39630722
Check permission inheritance is enabled on the user object in ADUC to begin with. I have seen some odd things happen if that is missing.

Simon.
0
 

Author Comment

by:Tufin
ID: 39630748
where can i check that ?
0
 

Author Comment

by:Tufin
ID: 39630755
and what exactly can change those premissions?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39630879
On the security tab of the user in ADUC, there is an option to allow permission inheritance. It should be enabled.

Simon.
0
 

Author Comment

by:Tufin
ID: 39636599
yes its enabled and i see that imp-user is in the security settings..

also i compared user5 with other users and they have imp-user permission

PS. User5 is a domain admin.. could this affect it some how?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39638220
You shouldn't be mixing domain admin functionality with anything else.
Exchange and the domain will remove permissions from a domain admin.

You should have two accounts - a regular user account and a domain admin - the domain admin account isn't mail enabled.
Mail enabled domain admin accounts will have problems with permissions.

Simon.
0
 

Author Closing Comment

by:Tufin
ID: 39655797
fixed it .. thanksss
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question