To migrate data from Exchange 2007, the On Demand Migration for Email (ODME) migration administrator account must have Impersonation Rights in the Exchange Organization.
Use the Add-ADPermission command in an Exchange Management Shell to grant both the ms-Exch-EPI-Impersonation and ms-Exch-EPI-May-Impersonate permissions.
For example, if the Admin account is called userName, the two commands would be:
Get-ExchangeServer | Add-ADPermission –User “DOMAIN\userName” -extendedRights ms-Exch-EPI-Impersonation -InheritanceType none
Get-MailboxDatabase | Add-ADPermission -User “DOMAIN\userName” -extendedRights ms-Exch-EPI-May-Impersonate -InheritanceType none
To grant impersonation the the ms-Exch-EPI-Impersonation permission has to be granted on at least the server that hosts the mailboxes you wisht to migrate. The ms-Exch-EPI-Impersonation permission gives the caller the ability to submit an impersonation call through the Client Access server. This command needs to be run on the CAS Server. This does not mean that the caller has permission to access any particular account. Permission to impersonate on a server is set on the security descriptor of the Server object in Active Directory. The calling account cannot be a member of any administrator group. This permission is explicitly denied to those groups.
After impersonation permissions are established on a server, the caller can be granted permission to a specific account or to any account in a mailbox database. The ms-Exch-EPI-May-Impersonate permission is used to grant the caller access to specific accounts (or entire databases).
The Microsoft KB article entitled, Configuring Exchange Impersonation (Exchange Web Services), provides additional details about granting Impersonation rights in Exchange 2007.