Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2011-03-19
If you want to grant access to a cmdlet, you need to add the associated management role entry to a management role. After you add the role entry to a role, the users assigned the role will be able to access that cmdlet. For more information about management role entries in Microsoft Exchange Server 2010, see Understanding Management Roles.
You can't add role entries to built-in roles. If you want to customize roles, you must create a new role. For more information about how to create a new role, see Create a Role.
You must use the Shell to add role entries to a role.
 Note: |
|---|
| This topic doesn't discuss how to add unscoped management role entries to an unscoped management role. For more information about how to add unscoped role entries, see Add a Role Entry to an Unscoped Top-Level Role. |
Looking for other management tasks related to roles? Check out Managing Advanced Permissions.
Prerequisites
- A role entry that you want to add to a management role must
exist in that role's immediate parent management role.
- This topic makes use of pipelining. For more information about
pipelining, see Pipelining.
What Do You Want to Do?
- Use the Shell to add a single
role entry from a parent role
- Use the Shell to add a single
role entry from a parent role and include only specific
parameters
- Use the Shell to add multiple
role entries from a parent role
Note:You can't use the EMC to add a role entry to a role.
Add a single role entry from a parent role
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management role entries" entry in the Role Management Permissions topic.
You can add a role entry to a role exactly as it appears on the parent role by using the following syntax.
 Copy Code |
|
|---|---|
Add-ManagementRoleEntry <child role name>\<cmdlet> |
|
This example adds the Set-Mailbox cmdlet to the Recipient Administrators role.
| Copy Code |
|
|---|---|
Add-ManagementRoleEntry "Recipient Administrators\Set-Mailbox" |
|
This command checks the parent role, and if the role entry exists, adds it to the child role. If the role entry already exists on the child role, you can include the Overwrite parameter to overwrite the existing role entry.
For detailed syntax and parameter information, see Add-ManagementRoleEntry.
Add a single role entry from a parent role and include only specific parameters
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management role entries" entry in the Role Management Permissions topic.
If you want to add a role entry from a parent role, but you want to include only specific parameters in the role entry on the child role, use the following syntax.
| Copy Code |
|
|---|---|
Add-ManagementRoleEntry <child role name>\<cmdlet> -Parameters <parameter 1>, <parameter 2>, <parameter...> |
|
This example adds the Set-Mailbox cmdlet to the Help Desk role, but includes only the DisplayName and EmailAddresses parameters in the entry on the child role.
| Copy Code |
|
|---|---|
Add-ManagementRoleEntry "Help Desk\Set-Mailbox" -Parameters DisplayName, EmailAddresses |
|
This command checks the parent role, and if the role entry exists, adds it to the child role. If the role entry already exists on the child role, you can include the Overwrite parameter to overwrite the existing role entry.
For detailed syntax and parameter information, see Add-ManagementRoleEntry.
Add multiple role entries from a parent role
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management role entries" entry in the Role Management Permissions topic.
If you want to add more than one role entry to a role, you need to retrieve a list of role entries that exist on the parent role that you want to add to the child role, and then add them to the child role. To do this, you retrieve the list of role entries on a parent role by using the Get-ManagementRoleEntry cmdlet. Then you pipe the output of the Get-ManagementRoleEntry cmdlet to the Add-ManagementRoleEntry cmdlet. To retrieve multiple role entries, you need to use the wildcard character (*).
To add multiple entries from a parent role to a child role, use the following syntax.
| Copy Code |
|
|---|---|
Get-ManagementRoleEntry <parent role name>\*<partial cmdlet name>* | Add-ManagementRoleEntry -Role <child role name> |
|
This example adds all the role entries that contain the
string Mailbox in the cmdlet name on the Mail
Recipients parent role to the Seattle Mail Recipients child
role.
| Copy Code |
|
|---|---|
Get-ManagementRoleEntry "Mail Recipients\*Mailbox*" | Add-ManagementRoleEntry -Role "Seattle Mail Recipients" |
|
If the role entries already exist on the child role, you can include the Overwrite parameter to overwrite the existing role entries.
For more information about retrieving a list of management role entries, see View Role Entries.
For detailed syntax and parameter information, see Get-ManagementRoleEntry and Add-ManagementRoleEntry.