Creating an AD group and limiting the scope of the impersonation user

Learn how to create an AD group and limit the scope of the impersonation user.

There are plenty of possibilities to organize users and groups in Active Directory and to configure a Microsoft Exchange organization. Therefore we cannot fully deal with this subject in our documentation – anyhow we want to illustrate one possible way how to restrict the impersonation scope to a group of users.

1. Step 1 Activate the Advanced Features View in the "Active Directory Users and Computers" Microsoft Management Console (MMC).

   

2. Step 2 Create a new group on an Organizational Unit (OU) in the directory tree.

   

   

3. Get the Distinguished Name of the group.

   

   

   

4. Use the distinguished name of the created group to create a Management Scope and use this Management Scope to restrict the role of the impersonation user as sketched in topic Creating a technical user and configuring the impersonation for connector SE on Exchange Server 2010.

Alternatively you can use the Exchange Management Shell to create the group and assign the scope to the impersonation role.

Step A – create the group

New-ADGroup -Name "Aurea CRM Users" -GroupScope Universal -Path "CN=Users,DC=exlab01,DC=local"

Step B – determine the distinguished name of the group

Get-ADGroup "Aurea CRM Users"

Step C – create the scope

New-ManagementScope -Name "Aurea CRM" -RecipientRestrictionFilter {MemberofGroup -eq "CN=Aurea CRM Users,CN=Users,DC=exlab01,DC=local"}

Step D – create the impersonation role and assign the scope

New-ManagementRoleAssignment -Name "Aurea CRM Connector" -Role:ApplicationImpersonation -User "EXLAB01\ExConn01" -CustomRecipientWriteScope "Aurea CRM"