Troubleshooting impersonation rights error
When you are migrating mailboxes or running data backup or restore jobs by using CodeTwo software, you get the Failed mailbox message on the Bad news card with the following information:
The account does not have permission to impersonate the requested user.
A similar error may also occur when using the Sent Items Update feature in CodeTwo Exchange Rules Pro.
This issue can be related to:
- EWS throttling in Exchange
- insufficient impersonation permissions
- inactive mailboxes on the target server.
One quick way to determine which solution works best for you is to create a new migration or backup/restore job for a single mailbox. Make sure to use the same settings as in the job that causes problems. In addition, the mailbox used in the new job needs to be one of those that failed to be migrated/backed up/restored previously. Once you run the new job and the mailbox is successfully migrated to the target server, backed up or restored, there is a high probability that the problem described in this article is caused by EWS throttling.
The limits set in the Exchange throttling policy, both in Exchange Online and on-premises Exchange server, may result in problems when too many mailboxes are being migrated concurrently. To fix that, you can try changing or disabling the limits in the throttling policy by following the steps outlined in this article.
If you are using CodeTwo migration software and the above solution doesn't work for you, reducing the number of simultaneously migrated mailboxes can also prevent throttling. The migration concurrency can be adjusted in CodeTwo software by using the Advanced settings step, accessed by editing a migration job. The default value set in the program is 5 mailboxes, so you can try to decrease it even further, e.g. to 2. On the other hand, if you have already changed this value to a higher one, for example 20, try changing it back to the default value. For more information on how this setting works, refer to the user’s manual.
To change this setting for your current migration job:
- Go to the Jobs tab.
- Select your migration job and click Edit (Fig. 1.). If it’s active, you need to stop it first.
- Go to the Advanced settings step.
- Change the value in Set the number of mailboxes that can be migrated at the same time to to a lower number, as explained earlier (Fig. 2.).
- Click Finish to save your changes.
You can now restart the migration job and see if the mailboxes in question are migrated without any issues.
If after decreasing the migration concurrency value you have noticed that the migration runs very slow, you might try increasing it again one by one, until the mailboxes start failing again. That way you can find the optimum setting for your server.
This solution does not apply to CodeTwo Office 365 Migration version 3.2.x and higher. If you are using an older version of the software, download the newest version here.
It also does not apply to CodeTwo Backup version 2.3.x and higher, in the case of Exchange Online connections. If you are configuring such a connection in the program and you get the error described in this article, be sure to download and update CodeTwo Backup to its newest version.
The admin account used in your CodeTwo migration or backup software may be lacking some impersonation permissions required to access other users' mailboxes. You can either set the required impersonation rights manually to that account (refer to this article to learn how to do so) or create a new account and let the program assign all the necessary roles to that account automatically. Whichever option you choose, use this account to reconfigure the connection used in your migration/backup/restore job that causes the problem. The links below will lead you to the relevant article on how to reconfigure a server connection in:
Once the reconfiguration is done, restart your migration/backup/restore job.
It is possible that even though you have correctly added impersonation rights manually or automatically (using the configuration wizard in our software), an error message is still displayed in the case of some users.
If this happens, you need to assign the admin account with full access permission to the affected user’s mailbox and specify that the permissions are inherited for all folders in that mailbox.
In order to do so:
- Run Exchange Management Shell.
- Type the following cmdlet:
Add-MailboxPermission -Identity "<AFFECTED USER>
" -User "<ADMIN USER> " -AccessRights FullAccess -InheritanceType All
where <AFFECTED USER> is the name of the mailbox that cannot be accessed and causes the error, while <ADMIN USER> is the name of the admin account you are using in your CodeTwo software to establish a connection to your server.
In some cases, mailboxes created on the target server are not fully active until their users sign in to Office 365 and set display language and time region of the mailbox in Outlook on the web (OWA) (Fig. 3.). In addition, you should also send a test email from the newly created mailbox.
After completing these steps, try running your migration/backup/restore job once again.