You are setting up ndMail but only a small group of users will be using ndMail. You don't want the service account to be able to impersonate more than the designated number of users.
This is accomplished by Creating a Management scope.
For information on How to configure Impersonation generally see the ndMail Administration Guide.
How To Set Up Impersonation For Specific Users Or Groups Of Users?
To assign the application impersonation role for the specific users or groups of users, you have to run the following commands.
- 1) Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. You can skip this step if an existing scope is available. The following example shows how to create a management scope for a specific group.
New-ManagementScope –Name:scopeName –RecipientRestrictionFilter:recipientFilter
- 2) Run the New-ManagementRoleAssignment cmdlet to configure the permission to impersonate the users of the specified scope.
New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:scopeName