Change the Scope of Role Assignments in a Role Group

Applies to: Exchange Server 2010

Management role groups are assigned management roles, which are then associated with members of those role groups. The assignments between a role group and a management role contain management scopes, which determine what objects are made available to members of that role group. By changing a scope, you can change what objects are made available to role group members to create, change, or remove.

When a role group is created, you can specify management scopes to apply to the role group. The management scopes you specify are configured on the role assignments between the role group and the assigned management roles. After creation of the role group, the scopes on the role assignments are managed individually using the Set-ManagementRoleAssignment cmdlet. You can't manage scopes using the Set-RoleGroup cmdlet.

You can manage scopes on role assignments between a role group and management roles in bulk and individually.

For more information about management role scopes and assignments in Microsoft Exchange Server 2010, see the following topics:

Looking for other management tasks related to role groups? Check out Managing Administrator and Specialist Users.

Prerequisites

This topic uses the concepts of pipelining, the WhatIf switch, and the Format-List cmdlet. For more information, see the following topics:

Use the Shell to change the scope of all role assignments on a role group at the same time

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Note

You can't use the EMC to change scopes.

To change the scope of all the role assignments between a role group and a set of management roles at the same time, you need to first retrieve the role assignments on the role group, and then set the new scope on each of the assignments. You can do this by using the Get-ManagementRoleAssignment cmdlet to retrieve the role assignments, and then pipe them to the Set-ManagementRoleAssignment cmdlet.

To set the scope on all of the role assignments on a role group at the same time, use the following syntax.

Get-ManagementRoleAssignment -RoleAssignee <name of role group> | Set-ManagementRoleAssignment -CustomRecipientWriteScope <recipient scope name> -CustomConfigWriteScope <configuration scope name> -RecipientRelativeScopeWriteScope < MyDistributioGroups | Organization | Self> -ExclusiveRecipientWriteScope <exclusive recipient scope name> -ExclusiveConfigWriteScope <exclusive configuration scope name> -RecipientOrganizationalUnitScope <organizational unit>

You use only the parameters you need to configure the scope you want to use. For example, if you want to change the recipient scope for all role assignments on the Sales Recipient Management role group to Direct Sales Employees, use the following command.

Get-ManagementRoleAssignment -RoleAssignee "Sales Recipient Management" | Set-ManagementRoleAssignment -CustomRecipientWriteScope "Direct Sales Employees"

Note

You can use the WhatIf switch to verify that only the role assignments you want to change are changed. Run the preceding command with the WhatIf switch to verify the results, and then remove the WhatIf switch to apply the changes.

For more information about changing management role assignments, see Change a Role Assignment.

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

Use the Shell to change the scope of individual role assignments on a role group

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Note

You can't use the EMC to change scopes.

To change the scope on a role assignment between a role group and a management role, you first find the name of the role assignment, and then set the scope on the role assignment.

  1. To find the names of all the role assignments on a role group, use the following command. By piping the management role assignments to the Format-List cmdlet, you can view the full name of the assignment.

    Get-ManagementRoleAssignment -RoleAssignee <role group name> | Format-List Name
    
  2. Find the name of the role assignment you want to change. Use the name of the assignment in the next step.

  3. To set the scope on an individual assignment, use the following syntax.

    Set-ManagementRoleAssignment <role assignment name> -CustomRecipientWriteScope <recipient scope name> -CustomConfigWriteScope <configuration scope name> -RecipientRelativeScopeWriteScope < MyDistributioGroups | Organization | Self> -ExclusiveRecipientWriteScope <exclusive recipient scope name> -ExclusiveConfigWriteScope <exclusive configuration scope name> -RecipientOrganizationalUnitScope <organizational unit>
    

You use only the parameters you need to configure the scope you want to use. For example, if you want to change the recipient scope for the Mail Recipients_Sales Recipient Management role assignment to All Sales Employees, use the following command.

Set-ManagementRoleAssignment "Mail Recipients_Sales Recipient Management" -CustomRecipientWriteScope "All Sales Employees"

For more information about changing management role assignments, see Change a Role Assignment.

For detailed syntax and parameter information, see Set-ManagementRoleAssignment.

Other Tasks

After you change the scope of role assignments on a role group, you may also want to: