Overview
- This article shares the instructions for configuring permissions for user impersonation rights to run Personal Filter List Migration Tool after upgrading VIPRE Email Security to GFI MailEssentials.
- The Personal Filter List Migration Tool imports the allowed and blocked email addresses which users defined in their respective mailboxes.
- Since the tool needs to access the mailboxes on the Microsoft Exchange server, specific permissions are required.
- These user permissions allow the tool to access all mailboxes.
-
Important Note: If you are unsure about securely performing the steps mentioned in this article, always make a backup before making any changes or reach out to support for more help.
Environment
- GFI MailEssentials 2012 Service Release 3
- Upgrades from VIPRE Email Security
Information
Please follow the steps below depending on the version of Microsoft Exchange installed:
Microsoft Exchange 2007 or 2010
- The user which was configured with impersonation rights in the VIPRE Email Security configuration can be used to run Personal Filter List Migration Tool.
- If this user has been deleted or needs to be re-created, please follow the instructions below:
- Create a new user without administrative privileges.
- Set a complex password for strong security.
- Open the Microsoft Exchange Management Shell.
- Create a new management scope as seen below which groups all recipients that have a mailbox:
New-ManagementScope -name <scope name> -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}
- Replace
<scope name>
with the name of the scope given for all user mailboxes, e.g.,user_mailboxes
. - Create a new management role which allows a particular user to have impersonation rights on a management scope:
New-ManagementRoleAssignment -name <role name> -role:ApplicationImpersonation -user <impersonator> -CustomRecipientWriteScope <scope name>
- Replace
<role name>
with the name given to the role being assigned, e.g.,impersonate_role
. - Replace
<impersonator>
with the email address of the user created in step 1. - Replace
<scope name>
with the name of the scope specified in step 4. - When the user has been assigned the necessary rights, specify the user in the In Exchange mailbox subfolder action configuration, through the Actions tab.
-
Important Note: If a management scope already exists that covers all Microsoft Exchange mailboxes, another similar scope cannot be created.
- In this case, you need to either make use of the existing scope or else use the following commands to identify and remove the current scope before creating a new one:
-
Get-ManagementScope
Remove-ManagementScope
-
Microsoft Exchange 2003
Follow these instructions to create a new user with necessary impersonation rights:
- Create a new domain user or use an existing domain user which has administrative rights. This user should have a mailbox set.
- From the Microsoft Exchange System Manager, right-click the Mailbox Store which is found under Servers > [SERVER NAME] > [STORAGE GROUP NAME].
- Select Properties.
- Open the Security tab and add the user created in Step 1 to the list. The user should have all the rights set to Allow.
- On the same tab, click the Advanced button.
- In the Permissions tab, double click an entry which has the user added in Step 4 in the Name column.
- In the next dialog, scroll to the bottom of the list and set Receive As and Send As to Allow.
- Press OK on all open dialogs to save the settings.