Our IT and Email management platforms GFI OneGuard and GFI OneConnect have now been launched. Find out more

What permissions are required to export emails from Microsoft Exchange into GFI Archiver?

In order for GFI Archiver to be able to export items from Microsoft Exchange server specific permissions are required.


Microsoft Exchange Server 2013 or 2010 (using EWS)

  1. Open the Microsoft Exchange Management Shell on the Microsoft Exchange Server
  2. Run the following PowerShell cmdlet:
New-ManagementScope -name "MAUMPolling" -recipientrestrictionfilter {recipienttype -eq "UserMailbox"}
  1. On completion, run the following PowerShell commandlet:
New-ManagementRoleAssignment -name "MAExportEmails" -role:applicationimpersonation -user "administrator@domain.com" -customrecipientwritescope "MAUMpolling"
New-ManagementRoleAssignment -name "MAExportEmails" -role:applicationimpersonation -user "administrator@mydomain.com" -customrecipientwritescope "MAUMpolling"

Microsoft Exchange Server 2013 (using MAPI)

  1. Knowledge of the password of the destination mailbox is required and it must be entered manually when using the MailboxRestore tool.
  2. Ensure that MAPI is enabled for the destination mailbox (the following cmdlet can be used for this: Set-CASMailbox -Identity "Username" -MAPIEnabled $true)
  3. Ensure a public folder is available and the user has access to that public folder (http://technet.microsoft.com/en-us/library/jj651147(v=exchg.150).aspx)
    1. New-Mailbox -PublicFolder -Name MARPublicMailBox
    2. New-PublicFolder -Name PublicFolder -Path \
    3. Assign ownership to PublicFolder from the EAC to the users
    4. Mail-enable the public folder
  4. On the GFI Archiver server, open https://YourExchangeServerAddress/owa and add install the SSL certificate to "Trusted Root Certificate Authorities"

Microsoft Exchange Server 2007 SP1 SP2 SP3 (using EWS)

  1. Open the Microsoft Exchange Management Shell on the Microsoft Exchange server
  2. Run the following Windows PowerShell commandlet:
foreach ($exchangeServer in Get-ExchangeServer)
if ($exchangeServer.ServerRole -match 'ClientAccess')
Add-ADPermission -Identity $exchangeServer.DistinguishedName -User 'domain\user' -ExtendedRights ms-Exch-EPI-Impersonation
foreach ($exchangeServer in Get-ExchangeServer)
if ($exchangeServer.ServerRole -match 'ClientAccess')
Add-ADPermission -Identity $exchangeServer.DistinguishedName -User 'master-domain\administrator' -ExtendedRights ms-Exch-EPI-Impersonation

Microsoft Exchange 2007 (using MAPI)

  1. Open the Microsoft Exchange Management Shell
  2. Run the following PowerShell commandlet:
Add-ADPermission -identity "Mailbox Store" -User "Trusted User" -AccessRights GenericAll
Add-ADPermission –Identity "Mailbox Database" -User "master-domain\JohnSmith" –AccessRights GenericAll

Microsoft Exchange 2003 (using MAPI)

  1. Open the Microsoft Exchange System Manager
  2. Navigate to Servers > (Server Name) > (Storage Group), right click the Mailbox Store and select Properties
  3. Select the Security tab
  4. Click Advanced button and uncheck the Allow inheritable permissions… checkbox
  5. In the Security dialog box, select Copy
  6. Click OK to apply changes and return to the Mailbox Store Security properties
  7. In the Security tab, select Administrator from the Group or user names
  8. From the Permissions list check the Allow check boxes for Receive As and Send As
  9. Repeat steps 7 and 8 to allow Receive As and Send As permissions for
    • Domain Admins
    • Enterprise Admins
    • Exchange Domain Servers
  10. Click OK to save settings
  11. Navigate to Start Run > type services.msc and click OK
  12. In the Services pane, right-click Microsoft Exchange Information Store service and click Restart

Microsoft Office 365 (using EWS)

  1. Open a Power Shell with the Azure module (if not installed please refer to http://technet.microsoft.com/en-us/library/jj151815.aspx#bkmk_installmodule) or use the "Import-Module MSOnline" cmdlet
  2. Execute the following commands
    • Set-ExecutionPolicy RemoteSigned
    • $O365Cred = Get-Credential
    • $O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
    • Import-PSSession $O365Session
    • Connect-MsolService –Credential $O365Cred
    • Enable-OrganizationCustomization
    • New-ManagementScope -name "MAUMPolling" -recipientrestrictionfilter {recipienttype -eq "UserMailbox"}
    • New-ManagementRoleAssignment -name "MAUMPollingRA" -role:applicationimpersonation -user "administrator@mydomain.com" -customrecipientwritescope "MAUMpolling"
  3. On-premise Active Directory requirements:
    • An on-premise Active Directory is required
    • Users which are to be exported from Microsoft Office365 must be added into the local on-premise Active Directory
    • Users in Active Directory must have the MAIL field set which must map to the email address of the corresponding user in Microsoft Office 365


The user mailboxes which are to be exported require to be be configured to be accessed via MAPI (this is allowed by default). This is required even if EWS is being used as the protocol to access Microsoft Exchange server. This setting can be checked or configured on a per user level via: Exchange Management Console > Recipient Configuration > Mailbox > [User Account Properties] > Mailbox Features > MAPI (must be enabled).

See also