Create a Role Group

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

If you want to customize the permissions that you can assign to a group of users, create a new custom management role group. For more information about role groups in Microsoft Exchange Server 2010, see Understanding Management Role Groups.

Looking for other management tasks related to administrators and specialist users? Check out Managing Administrator and Specialist Users.

Prerequisites

To create a new role group, you need to know the management roles you want to assign to it.

If you're using the Exchange Management Shell to create a new role group, all other properties on a role group are optional and can be added after the role is created. For a role to be functional, you must add at least one management role and at least one member.

For a list of built-in roles, see Built-in Management Roles.

Use the ECP to create a role group

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

  1. In the Exchange Management Console (EMC), navigate to Toolbox in the console tree.

  2. In the work pane, double-click Role Based Access Control (RBAC) User Editor to open the user editor in the Exchange Control Panel (ECP).

  3. Provide credentials in the Domain\user name and Password fields for an account that has the permissions needed to open the user editor in the ECP. Click Sign in.

  4. Click the Administrator Roles tab.

  5. Click New under Role Groups.

  6. In the Name field, enter the name of the new role group.

  7. In the Description field, provide a short description of the purpose for the role group.

  8. Select one of the two following Write scope options:

    • A write scope from the drop-down box. In this box, you can select either the default write scope or a custom write scope.

    • Organizational unit   Select this option and provide an organizational unit (OU) if you want to scope this role group to an OU.

  9. In the Roles section, do the following:

    • To add one or more management roles to the role group, click Add and select the roles you want to add. You can select multiple roles at one time. Then click OK.

    • To remove one or more roles from the role group, select the roles you want to remove, and click Remove.

  10. In the Members section, do the following:

    • To add one or more members to the role group, click Add and select the mailboxes, role groups or universal security groups (USGs) you want to add. You can select multiple items at one time. Then click OK.

    • To remove one or more members, select the members you want to remove, and click Remove.

  11. When you're done, click Save to create the new role group.

Use the Shell to create a role group with no scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

To create a role group, add members to the role group and also specify the users who can delegate the role group to other users, use the following syntax.

New-RoleGroup -Name <role group name> -Roles <roles to assign> -Members <member1, member2, member3, ...> -ManagedBy <user1, user2, user3...>

This example creates a role group that's assigned to the Transport Rules and Journaling management roles, is assigned to Joe, John, and David, and can be delegated by David and Chris.

New-RoleGroup -Name "Compliance Role Group" -Roles "Transport Rules", "Journaling" -Members Joe, John, David -ManagedBy David, Chris

For detailed syntax and parameter information, see New-RoleGroup.

Use the Shell to create a role group with a custom recipient scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

You can create role groups with custom recipient management scopes, custom configuration management scopes, or both. To create a new role group that uses a custom management scope that you created, use the following syntax.

New-RoleGroup -Name <role group name> -Roles <roles to assign> -CustomRecipientWriteScope <recipient scope name> -CustomConfigWriteScope <configuration scope name>

This example creates a new role group that's assigned the Transport Rules and Journaling management roles and uses the Seattle Recipients recipient scope.

New-RoleGroup -Name "Seattle Compliance Group" -Roles "Transport Rules", "Journaling" -CustomRecipientWriteScope "Seattle Recipients"

You can also add members to the role group when you create it by using the Members parameter as shown in Use the Shell to create a role group with no scope earlier in this topic. For more information about management scopes, see Understanding Management Role Scopes.

For detailed syntax and parameter information, see New-RoleGroup.

Use the Shell to create a role group with an OU scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

To create a role group that's scoped to a specific OU, use the following syntax.

New-RoleGroup -Name <role group name> -Roles <roles to assign> -RecipientOrganizationalUnitScope <OU name>

This example creates a role group that allows management only of recipients in the Vancouver Office OU.

New-RoleGroup -Name "Vancouver Office Recipients Group" -Roles "Mail Recipients" -RecipientOrganizationalUnitScope "Vancouver Office"

You can also add members to the role group when you create it by using the Members parameter as shown in Use the Shell to create a role group with no scope earlier in this topic. For more information about management scopes, see Understanding Management Role Scopes.

For detailed syntax and parameter information, see New-RoleGroup.

Other Tasks

After you create a new role group, you may also want to:

 © 2010 Microsoft Corporation. All rights reserved.