Applies to: Exchange Online, Exchange Online Protection, Exchange Server 2016, Office 365 Security & Compliance Center

Topic Last Modified: 2016-03-31

This cmdlet is available in on-premises Exchange Server 2016 and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Get-RoleGroup cmdlet to retrieve a list of management role groups.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Get-RoleGroup [-Identity <RoleGroupIdParameter>] [-DomainController <Fqdn>] [-Filter <String>] [-ReadFromDomainController <SwitchParameter>] [-ResultSize <Unlimited>] [-ShowPartnerLinked <SwitchParameter>] [-SortBy <String>]

This example retrieves a list of role groups.


This example retrieves the details for the Recipient Administrators role group.

Get-RoleGroup "Recipient Administrators" | Format-List

This example retrieves a list of role groups as seen by the domain controller closest to the user.

Get-RoleGroup -ReadFromDomainController

This example retrieves a list of all linked role groups and the Active Directory security identifier (SID) of the foreign universal security groups (USG) that are linked to each of them. You can then use the SIDs to find the USGs so you can modify their members.

Get-RoleGroup -Filter { RoleGroupType -Eq "Linked" } | Format-Table Name, LinkedGroup

For more information about role groups, see Understanding management role groups.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Role groups" entry in the Role management permissions topic.


Parameter Required Type Description




This parameter is available only in on-premises Exchange 2016.

The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example,




The Filter parameter specifies the property to be used to filter the role groups. Only the role groups that match the criteria you specify are returned.

You can filter on the LinkedGroup, ManagedBy, Members, Name, RoleGroupType, and DisplayName properties. If you create a filter using the RoleGroupType property, the only values you can use in the filter are Standard and Linked.




The Identity parameter specifies the role group to retrieve. If the name of the role group contains spaces, enclose the name in quotation marks (").

If the Identity parameter isn't specified, all role groups are returned.




This parameter is available only in on-premises Exchange 2016.

The ReadFromDomainController switch specifies that information should be read from a domain controller in the user's domain. If you run the command Set-AdServerSettings -ViewEntireForest $true to include all objects in the forest and you don't use the ReadFromDomainController switch, it's possible that information will be read from a global catalog that has outdated information. When you use the ReadFromDomainController switch, multiple reads might be necessary to get the information. You don't have to specify a value with this switch.

By default, the recipient scope is set to the domain that hosts your Exchange servers.




The ResultSize parameter specifies the maximum number of results to return. If you want to return all requests that match the query, use unlimited for the value of this parameter. The default value is 1000.




This parameter is available only in the cloud-based service.

This ShowPartnerLinked switch specifies whether to return built-in role groups that are of type PartnerRoleGroup. Role groups of this type are used in the cloud-based services to allow partner service providers to manage their customer organizations. These role groups can't be edited and are therefore not shown by default.




The SortBy parameter specifies the property to sort the results by. You can sort by only one property at a time. The results are sorted in ascending order.

If the default view doesn't include the property you're sorting by, you can append the command with | Format-Table -Auto <Property1>,<Property2>... to create a new view that contains all of the properties that you want to see. Wildcards (*) in the property names are supported.

You can sort by the following properties:

  • Name

  • DisplayName

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.