Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

A linked management role group can be used to enable members of a universal security group (USG) in a foreign Active Directory forest to manage a Microsoft Exchange Server 2010 organization in a resource Active Directory forest. By associating a USG in a foreign forest with a linked role group, the members of that USG are granted the permissions provided by the management roles assigned to the linked role group. For more information about linked role groups, see Understanding Management Role Groups.

Important:
To add or remove users on a linked role group, you must add or remove members in the USG in the foreign Active Directory forest. You can't use the Add-RoleGroupMember, Remove-RoleGroupMember, or Update-RoleGroupMember cmdlets to change the membership of a linked role group.

Looking for other management tasks related to administrators and specialist users? Check out Managing Administrator and Specialist Users.

Prerequisites

  • Configuring a linked role group requires that, at a minimum, a one-way trust is established between the resource Active Directory forest in which the linked role group will reside, and the foreign Active Directory forest where the users or USGs reside. The resource forest must trust the foreign forest.

  • You must have the following information about the foreign Active Directory forest:

    • Credentials   You must have a user name and password that can access the foreign Active Directory forest. This information is used with the LinkedCredential parameter on the New-RoleGroup cmdlet.

    • Domain controller   You must have the fully qualified domain name (FQDN) of an Active Directory domain controller in the foreign Active Directory forest. This information is used with the LinkedDomainController parameter on the New-RoleGroup cmdlet.

    • Foreign USG   You must have the full name of a USG in the foreign Active Directory forest that contains the members you want to associate with the linked role group. This information is used with the LinkedForeignGroup parameter on the New-RoleGroup cmdlet.

Use the Shell to create a linked role group with no scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Note:
You can't use the EMC to create a linked role group with no scope.

To create a linked role group and assign management roles to the linked role group, do the following:

  1. Store the foreign Active Directory forest credentials in a variable.

    Copy Code
    $ForeignCredential = Get-Credential
    
  2. Create the linked role group using the following syntax.

    Copy Code
    New-RoleGroup <role group name> -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign Active Directory domain controller> -LinkedCredential $ForeignCredential -Roles <role1, role2, role3...>
    
  3. Add or remove members to or from the foreign USG using Active Directory Users and Computers on a computer in the foreign Active Directory forest.

This example does the following:

  • Retrieves the credentials for the users.contoso.com foreign Active Directory forest. These credentials are used to connect to the DC01.users.contoso.com domain controller in the foreign forest.

  • Creates a linked role group called Compliance Role Group in the resource forest where Exchange 2010 is installed.

  • Links the new role group to the Compliance Administrators USG in the users.contoso.com foreign Active Directory forest.

  • Assigns the Transport Rules and Journaling management roles to the new linked role group.

Copy Code
$ForeignCredential = Get-Credential
New-RoleGroup "Compliance Role Group" -LinkedForeignGroup "Compliance Administrators" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential -Roles "Transport Rules", "Journaling"

For detailed syntax and parameter information, see New-RoleGroup.

Use the Shell to create a linked role group with a custom management scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Note:
You can't use the EMC to create a linked role group with a custom management scope.

You can create linked role groups with custom recipient management scopes, custom configuration management scopes, or both. To create a linked role group and assign management roles with custom scopes to it, do the following:

  1. Store the foreign Active Directory forest credentials in a variable.

    Copy Code
    $ForeignCredential = Get-Credential
    
  2. Create the linked role group using the following syntax.

    Copy Code
    New-RoleGroup <role group name> -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign Active Directory domain controller> -CustomConfigWriteScope <name of configuration scope> -CustomRecipientWriteScope <name of recipient scope> -LinkedCredential $ForeignCredential -Roles <role1, role2, role3...>
    
  3. Add or remove members to or from the foreign USG using Active Directory Users and Computers on a computer in the foreign Active Directory forest.

This example does the following:

  • Retrieves the credentials for the users.contoso.com foreign Active Directory forest. These credentials are used to connect to the DC01.users.contoso.com domain controller in the foreign forest.

  • Creates a linked role group called Seattle Compliance Role Group in the resource forest where Exchange 2010 is installed.

  • Links the new role group to the Seattle Compliance Administrators USG in the users.contoso.com foreign Active Directory forest.

  • Assigns the Transport Rules and Journaling management roles to the new linked role group with the Seattle Recipients custom recipient scope.

Copy Code
$ForeignCredential = Get-Credential
New-RoleGroup "Seattle Compliance Role Group" -LinkedForeignGroup "Seattle Compliance Administrators" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential -CustomRecipientWriteScope "Seattle Recipients" -Roles "Transport Rules", "Journaling"

For more information about management scopes, see Understanding Management Role Scopes.

For detailed syntax and parameter information, see New-RoleGroup.

Use the Shell to create a linked role group with an OU scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Note:
You can't use the EMC to create a linked role group with an organizational unit (OU) scope.

You can create linked role groups that use an OU recipient scope. To create a linked role group and assign management roles to it with an OU scope, do the following:

  1. Store the foreign Active Directory forest credentials in a variable.

    Copy Code
    $ForeignCredential = Get-Credential
    
  2. Create the linked role group using the following syntax.

    Copy Code
    New-RoleGroup <role group name> -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign Active Directory domain controller> -LinkedCredential $ForeignCredential -RecipientOrganizationalUnitScope <OU name> -Roles <role1, role2, role3...>
    
  3. Add or remove members to or from the foreign USG using Active Directory Users and Computers on a computer in the foreign Active Directory forest.

This example does the following:

  • Retrieves the credentials for the users.contoso.com foreign Active Directory forest. These credentials are used to connect to the DC01.users.contoso.com domain controller in the foreign forest.

  • Creates a linked role group called Executives Compliance Role Group in the resource forest where Exchange 2010 is installed.

  • Links the new role group to the Executives Compliance Administrators USG in the users.contoso.com foreign Active Directory forest.

  • Assigns the Transport Rules and Journaling management roles to the new linked role group with the OU recipient scope Executives OU.

Copy Code
$ForeignCredential = Get-Credential
New-RoleGroup "Executives Compliance Role Group" -LinkedForeignGroup "Executives Compliance Administrators" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential -RecipientOrganizationalUnitScope "Executives OU" -Roles "Transport Rules", "Journaling"

For more information about management scopes, see Understanding Management Role Scopes.

For detailed syntax and parameter information, see New-RoleGroup.

Other Tasks