Note: This documentation gets updated only when necessary, as the product is in sustained mode. For product updates see the Release Notes.

Exchange Permissions

This page lists the Exchange permissions that are required or recommended for K2 service accounts.

Granting Execute rights on Microsoft.PowerShell configuration

To grant accounts the Execute right on Microsoft.PowerShell, run the following command in the Exchange Management Shell:

Set-PSSessionConfiguration Microsoft.PowerShell –ShowSecurityDescriptorUI

Exchange 2007 Administrator Account

An Exchange Administrator Account should be created and given Exchange Organization Administrator rights.
When the Create / Disable mailbox action is selected, the wizard should be configured to Run As the Exchange Administrator account.

Exchange 2010 Impersonation Account

A second service account, the Exchange Impersonation Account is required for Microsoft Exchange 2010 integration. This account should be assigned the ApplicationImpersonation role to be able to impersonate users for sending meeting requests and creating tasks. Run the following command in the Exchange Command Shell to give impersonation right to this account:

new-ManagementRoleAssignment -Name: _suImpersonateRoleAsg -Role: ApplicationImpersonation -User: “impersonation account name”
Give this account Log on as batch job rights on the K2 server machine to be able to run Exchange events as this account.

Assigning Exchange Impersonation Rights

To assign Exchange Impersonation rights run the following scripts, replacing <ExchangeServer> with the relevant Exchange Server name and <ExServiceUser> with the name of the EXCHANGE_IMPERSONATOR account.

Add-ADPermission -Identity (get-exchangeserver -identity <ExchangeServer>).DistinguishedName -User (Get-User -Identity <ExServiceUser> | select-object).identity -AccessRights GenericAll -InheritanceType Descendents
Add-ADPermission -Identity (get-exchangeserver -identity <ExchangeServer>).DistinguishedName -User (Get-User -Identity <ExServiceUser> | select-object).identity -ExtendedRight ms-Exch-EPI-Impersonation
Add-ADPermission -Identity (get-exchangeserver -identity <ExchangeServer>).DistinguishedName -User (Get-User -Identity <ExServiceUser> | select-object).identity -ExtendedRight ms-Exch-EPI-May-Impersonate
Add-ADPermission -Identity (get-exchangeserver -identity <ExchangeServer>).DistinguishedName -User (Get-User -Identity <ExServiceUser> | select-object).identity -ExtendedRights Send-As
Add-ADPermission -Identity (get-exchangeserver -identity <ExchangeServer>).DistinguishedName -User (Get-User -Identity <ExServiceUser> | select-object).identity -ExtendedRights Receive-As

This Exchange Service Impersonation account makes use of a SSL Server Certificate between the K2 Server and the Exchange Server

The Exchange Service Impersonation account should not have any administrator permissions in the Exchange Management Console