How to check the status of the Exchange Impersonation User

  • 7019604
  • 11-Sep-2014
  • 07-Aug-2017


Retain 3.x Exchange Module


The logs say that the user does not have rights to access the email box.


The [impersonationUserName] is the impersonation user Retain uses to access Exchange mailboxes.

To check the impersonation account, run this command in Exchange Management Shell:
Get-ManagementRoleAssignment -RoleAssignee "[impersonationUserName]" -Role ApplicationImpersonation -RoleAssigneeType user

If the command line returns without any output then the user does not have rights.

To get a list of all the rights the impersonation account has:
Get-ManagementRoleAssignment -RoleAssignee "[impersonationUserName]"

To remove ApplicationImpersonation rights from a user you can use this command.
Get-ManagementRoleAssignment -RoleAssignee "[impersonationUserName]" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment

If you wish to create a new Impersonation Account user. Create a new user in Exchange and run the PowerShell script :
Give the Role a name

New-ManagementRoleAssignment –Name [ImpersonationAssignmentName] –Role ApplicationImpersonation –User


Note: The Impersonation User cannot have Administrator rights. That is a MS built-in security measure.

Additional Information

This article was originally published in the GWAVA knowledgebase as article ID 2362.