1

I often add impersonation rights on various Windows Servers running Exchange Servers (2010, 2013) using PowerShell (New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User: <account name>).

The problem is it takes forever for those permissions to actually apply and work. Is there any way I can speed this process up?

As a workaround I simply restart the machine, however, while I can freely do that in my lab I cannot afford this luxury in the production environment. I am looking for something like gpudate /force that would immediately apply the impersonation rights changes.

streamofstars
  • 41
  • 6

1 Answers1

0

Management Role assignments are stored as Universal Security Groups in Active Directory - specifically in OU=Microsoft Exchange Security Groups,DC=forestroot,DC=tld, given that your forest root FQDN is forestroot.tld

If you have Exchange Servers in different AD sites and RBAC changes take forever to apply on servers in remote sites, you can force replication of the forest root domain's Default Naming Context in the remote sites:

repadmin /replicate remotedc01 hubdc01 "DC=forestroot,DC=tld"

If you don't mind a little replication storm, use:

repadmin /replicate remote* "DC=forestroot,DC=tld" /allsources

This will cause all domain controllers whose name start with "remote" to replicate the Default Naming Context from all replication partners

Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95