Applies to: Exchange Server 2010 SP2, Exchange Server 2010 SP3

Topic Last Modified: 2015-03-09

Use the Get-RoleGroup cmdlet to retrieve a list of management role groups.

Get-RoleGroup [-Identity <RoleGroupIdParameter>] [-DomainController <Fqdn>] [-Filter <String>] [-Organization <OrganizationIdParameter>] [-ReadFromDomainController <SwitchParameter>] [-ResultSize <Unlimited>] [-ShowPartnerLinked <SwitchParameter>] [-SortBy <String>]

For more information about role groups, see Understanding Management Role Groups.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.


Parameter Required Type Description




The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory.




The Filter parameter indicates the property to be used to filter the role groups. Only the role groups that match the criteria you specify are returned.

You can filter on the LinkedGroup, ManagedBy, Members, Name, RoleGroupType, and DisplayName properties. If you create a filter using the RoleGroupType property, the only values you can use in the filter are Standard and Linked.




The Identity parameter specifies the role group to retrieve. If the name of the role group contains spaces, enclose the name in quotation marks (").

If the Identity parameter isn't specified, all role groups are returned.




This parameter is available for multi-tenant deployments. It isn't available for on-premises deployments. For more information about multi-tenant deployments, see Multi-Tenant Support.

The Organization parameter specifies the organization in which you'll perform this action. This parameter doesn't accept wildcard characters, and you must use the exact name of the organization.




The ReadFromDomainController switch specifies that the role group information should be read from a domain controller in the user's domain. If you use the Set-AdServerSettings cmdlet to include scope commands to the entire forest and don't use this switch, it's possible that the role group information is read from a global catalog with outdated information.




The ResultSize parameter specifies the maximum number of results to return. If you want to return all the role groups, use Unlimited for the value of this parameter. The default value is 1000.




This ShowPartnerLinked switch specifies whether to return built-in role groups that are of type PartnerRoleGroup. Role groups of this type are used in the cloud-based services to allow partner service providers to manage their customer organizations. These role groups can’t be edited and are therefore not shown by default.

This parameter applies to objects in the cloud-based service. It isn’t available for on-premises deployments.




The SortBy parameter specifies the attribute by which to sort the results. You can sort by only one attribute at a time. You can sort by the Name attribute.

The results are sorted in ascending order.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.

This example retrieves a list of role groups.


This example retrieves the details for the Recipient Administrators role group.

Get-RoleGroup "Recipient Administrators" | Format-List

For more information about the Format-List cmdlet and pipelining, see Working with Command Output and Pipelining.

This example retrieves a list of role groups as seen by the domain controller closest to the user.

Get-RoleGroup -ReadFromDomainController

This example retrieves a list of all linked role groups and the Active Directory security identifier (SID) of the foreign universal security groups (USG) that are linked to each of them. You can then use the SIDs to find the USGs so you can modify their members.

Get-RoleGroup -Filter { RoleGroupType -Eq "Linked" } | Format-Table Name, LinkedGroup