We're updating some of our product names. K2 Five is now Nintex Automation. You may see both product names in our help pages while we make this change.

Exchange Permissions

This page lists the Exchange permissions that are required or recommended for K2 service accounts.

Granting Execute rights on Microsoft.PowerShell configuration

To grant accounts the Execute right on Microsoft.PowerShell, run the following command in the Exchange Management Shell:

Set-PSSessionConfiguration Microsoft.PowerShell –ShowSecurityDescriptorUI

Assigning Exchange Impersonation Rights

To assign Exchange Impersonation rights run the following scripts, replacing <ExchangeServer> with the relevant Exchange Server name and <ExServiceUser> with the name of the EXCHANGE_IMPERSONATOR account.

Add-ADPermission -Identity (get-exchangeserver -identity <ExchangeServer>).DistinguishedName -User (Get-User -Identity <ExServiceUser> | select-object).identity -AccessRights GenericAll -InheritanceType Descendents
Add-ADPermission -Identity (get-exchangeserver -identity <ExchangeServer>).DistinguishedName -User (Get-User -Identity <ExServiceUser> | select-object).identity -ExtendedRight ms-Exch-EPI-Impersonation
Add-ADPermission -Identity (get-exchangeserver -identity <ExchangeServer>).DistinguishedName -User (Get-User -Identity <ExServiceUser> | select-object).identity -ExtendedRight ms-Exch-EPI-May-Impersonate
Add-ADPermission -Identity (get-exchangeserver -identity <ExchangeServer>).DistinguishedName -User (Get-User -Identity <ExServiceUser> | select-object).identity -ExtendedRights Send-As
Add-ADPermission -Identity (get-exchangeserver -identity <ExchangeServer>).DistinguishedName -User (Get-User -Identity <ExServiceUser> | select-object).identity -ExtendedRights Receive-As

This Exchange Service Impersonation account makes use of a SSL Server Certificate between the K2 Server and the Exchange Server

The Exchange Service Impersonation account should not have any administrator permissions in the Exchange Management Console