There are a bajillion blogs about this, but there’s also alot of wishy-washy stuff around it. So I figured it might be worthwhile condensing it all down to what you really want to know.
The scenario is this:
You have an application (in this case Dynamics CRM), which connects to EWS and wants to use a service user to interact with mailboxes. In 2007 you’d have to grant rights; but that is, frankly awful to manage and security is so-so. In 2010/2013; all you have to do is create a scope, and assign impersonation privileges to you user for that scope.
Easy peasy!
- New-ManagementScope -Name “CRM Mailboxes” -RecipientRestrictionFilter { RecipientType -eq ‘UserMailbox’ } -RecipientRoot “iloveexchange.com/CompanyOU/Users/CRM Users”
-
New-ManagementRoleAssignment –Name:CRM –Role:ApplicationImpersonation –User:”CRM_Email_Router” –CustomRecipientWriteScope:”CRM Mailboxes”
Done and done.
As a footnote here, you can of course change the recepient type filter (read the whole shabang here: http://technet.microsoft.com/en-us/library/bb738157(v=exchg.150).aspx), you can add a server filter (-Serverfilter) to apply the filter only to certain servers. Etc.
But the usage for this particular setup is, for 90% of you, pretty simple and doesn’t have to be complex at all.
Bajillion is a real word btw; look it up.
I really like your writing style, great info , regards for posting : D.
Mike, LOL, that’s quite interesting and funny. It does make life a lot eaiser when you don’t have to worry about IE at all. I usually check site statistics (via Google Analytics or something similar) to make sure I didn’t leave too many people out.The last company I worked at had a real estate audience. At the time about 12% were still using IE7. We decided that we would only support IE8+. If there’s enough demand/complaint, then we’d try to get it to work on 7. IE8, FF, and Chrome were still a headache then.