Overview
Specific permissions are required for the Microsoft Exchange server to export items into GFI Archiver. This article provides steps to setting the permissions on various versions of Exchange.
Note: If the Mailbox Folder Structure Retrieval feature is already in use, simply configure it by assigning the user the required access option.
Solution
Follow these step to set permissions depending on the application in use:
The user mailboxes which are to be exported require to be configured to be accessed via MAPI-Messaging Application Programming Interface (this is allowed by default). This is required even if EWS is being used as the protocol to access Microsoft Exchange server.
This setting can be checked or configured on a per user level via: Exchange Management Console > Recipient Configuration > Mailbox > [User Account Properties] > Mailbox Features > MAPI (must be enabled).
Microsoft Exchange Server 2019, 2016, 2013 or 2010 (Using EWS)
- Open the Microsoft Exchange Management Shell on the Microsoft Exchange Server.
- Run the following PowerShell cmdlet:
New-ManagementScope -name "MAUMPolling" -recipientrestrictionfilter {recipienttype -eq "UserMailbox"} - On completion, run the following PowerShell cmdlet adding in the email of the user needing the permissions to export:
New-ManagementRoleAssignment -name "MAExportEmails" -role:applicationimpersonation -user "administrator@domain.com" -customrecipientwritescope "MAUMpolling"
Microsoft Exchange Server 2007 SP1 SP2 SP3 (using EWS)
- Open the Microsoft Exchange Management Shell on the Microsoft Exchange server.
- Run the following Windows PowerShell cmdlet with the 'domain\user' information:
foreach ($exchangeServer in Get-ExchangeServer) { if ($exchangeServer.ServerRole -match 'ClientAccess') { Add-ADPermission -Identity $exchangeServer.DistinguishedName -User 'domain\user' -ExtendedRights ms-Exch-EPI-Impersonation } }
Example: foreach ($exchangeServer in Get-ExchangeServer) { if ($exchangeServer.ServerRole -match 'ClientAccess') { Add-ADPermission -Identity $exchangeServer.DistinguishedName -User 'master-domain\administrator' -ExtendedRights ms-Exch-EPI-Impersonation }}
Microsoft 365 (using EWS)
Follow the steps in the article about Setting Permissions for GFI Archiver in Microsoft 365 Using EWS.
Testing
After performing the steps to set the permissions, users will perform the steps outlined in Using GFI Archiver Import/Export Tool for Importing Emails from Microsoft Exchange Mailboxes to perform an Import of the mail stored in the Exchange mail store.
After performing a successful import it is suggested to remove the extra permissions from the account for security purposes.
NOTE
There are no permissions to be revoked when running the Import Export Tool directly on the Microsoft® Exchange Server machine.
Importing mailboxes remotely from Microsoft® Exchange Server 2007 and later editions:
- Open the Microsoft Exchange Management Shell.
- Run the following Windows PowerShell commandlet:
Remove-ADPermission -identity "Mailbox Store" -User "Trusted User" -AccessRights GenericAll
Replace ‘Mailbox Store’ with the name of the mailbox store that contains the mailboxes of the users and ‘Trusted User’ with the user that was previously granted full mailbox access.
Example:
Remove-ADPermission -identity "Mailbox Database" -User "master-domain/JohnSmith" -AccessRights GenericAll
Related Articles
- Prerequisites for Mailbox Folder Structure Retrieval
- Setting Permissions of Microsoft Exchange Mailboxes for Using GFI Archiver Mailbox Restore Tool
- Protocols Used by Import Export Tool in GFI Archiver to Access Microsoft Exchange
- Applying Necessary User Settings for Mailbox Folder Structure Retrieval in GFI Archiver
- Settings Permissions for Importing Emails from Microsoft Exchange 2010 or 2013