Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
A linked management role group can be used to enable members of a universal security group (USG) in a foreign Active Directory forest to manage a Microsoft Exchange Server 2010 organization in a resource Active Directory forest. By associating a USG in a foreign forest with a linked role group, the members of that USG are granted the permissions provided by the management roles assigned to the linked role group. For more information about linked role groups, see Understanding Management Role Groups.
Important: |
---|
To add or remove users on a linked role group, you must add or remove members in the USG in the foreign Active Directory forest. You can't use the Add-RoleGroupMember, Remove-RoleGroupMember, or Update-RoleGroupMember cmdlets to change the membership of a linked role group. |
Looking for other management tasks related to administrators and specialist users? Check out Managing Administrator and Specialist Users.
Prerequisites
- Configuring a linked role group requires that, at a minimum, a
one-way trust is established between the resource Active Directory
forest in which the linked role group will reside, and the foreign
Active Directory forest where the users or USGs reside. The
resource forest must trust the foreign forest.
- You must have the following information about the foreign
Active Directory forest:
- Credentials You must have a user name
and password that can access the foreign Active Directory forest.
This information is used with the LinkedCredential parameter
on the New-RoleGroup cmdlet.
- Domain controller You must have the
fully qualified domain name (FQDN) of an Active Directory domain
controller in the foreign Active Directory forest. This information
is used with the LinkedDomainController parameter on the
New-RoleGroup cmdlet.
- Foreign USG You must have the full name
of a USG in the foreign Active Directory forest that contains the
members you want to associate with the linked role group. This
information is used with the LinkedForeignGroup parameter on
the New-RoleGroup cmdlet.
- Credentials You must have a user name
and password that can access the foreign Active Directory forest.
This information is used with the LinkedCredential parameter
on the New-RoleGroup cmdlet.
Use the Shell to create a linked role group with no scope
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
Note: |
---|
You can't use the EMC to create a linked role group with no scope. |
To create a linked role group and assign management roles to the linked role group, do the following:
- Store the foreign Active Directory forest credentials in a
variable.
Copy Code $ForeignCredential = Get-Credential
- Create the linked role group using the following syntax.
Copy Code New-RoleGroup <role group name> -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign Active Directory domain controller> -LinkedCredential $ForeignCredential -Roles <role1, role2, role3...>
- Add or remove members to or from the foreign USG using Active
Directory Users and Computers on a computer in the foreign Active
Directory forest.
This example does the following:
- Retrieves the credentials for the users.contoso.com foreign
Active Directory forest. These credentials are used to connect to
the DC01.users.contoso.com domain controller in the foreign
forest.
- Creates a linked role group called Compliance Role Group in the
resource forest where Exchange 2010 is installed.
- Links the new role group to the Compliance Administrators USG
in the users.contoso.com foreign Active Directory forest.
- Assigns the Transport Rules and Journaling management roles to
the new linked role group.
Copy Code | |
---|---|
$ForeignCredential = Get-Credential New-RoleGroup "Compliance Role Group" -LinkedForeignGroup "Compliance Administrators" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential -Roles "Transport Rules", "Journaling" |
For detailed syntax and parameter information, see New-RoleGroup.
Use the Shell to create a linked role group with a custom management scope
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
Note: |
---|
You can't use the EMC to create a linked role group with a custom management scope. |
You can create linked role groups with custom recipient management scopes, custom configuration management scopes, or both. To create a linked role group and assign management roles with custom scopes to it, do the following:
- Store the foreign Active Directory forest credentials in a
variable.
Copy Code $ForeignCredential = Get-Credential
- Create the linked role group using the following syntax.
Copy Code New-RoleGroup <role group name> -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign Active Directory domain controller> -CustomConfigWriteScope <name of configuration scope> -CustomRecipientWriteScope <name of recipient scope> -LinkedCredential $ForeignCredential -Roles <role1, role2, role3...>
- Add or remove members to or from the foreign USG using Active
Directory Users and Computers on a computer in the foreign Active
Directory forest.
This example does the following:
- Retrieves the credentials for the users.contoso.com foreign
Active Directory forest. These credentials are used to connect to
the DC01.users.contoso.com domain controller in the foreign
forest.
- Creates a linked role group called Seattle Compliance Role
Group in the resource forest where Exchange 2010 is installed.
- Links the new role group to the Seattle Compliance
Administrators USG in the users.contoso.com foreign Active
Directory forest.
- Assigns the Transport Rules and Journaling management roles to
the new linked role group with the Seattle Recipients custom
recipient scope.
Copy Code | |
---|---|
$ForeignCredential = Get-Credential New-RoleGroup "Seattle Compliance Role Group" -LinkedForeignGroup "Seattle Compliance Administrators" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential -CustomRecipientWriteScope "Seattle Recipients" -Roles "Transport Rules", "Journaling" |
For more information about management scopes, see Understanding Management Role Scopes.
For detailed syntax and parameter information, see New-RoleGroup.
Use the Shell to create a linked role group with an OU scope
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
Note: |
---|
You can't use the EMC to create a linked role group with an organizational unit (OU) scope. |
You can create linked role groups that use an OU recipient scope. To create a linked role group and assign management roles to it with an OU scope, do the following:
- Store the foreign Active Directory forest credentials in a
variable.
Copy Code $ForeignCredential = Get-Credential
- Create the linked role group using the following syntax.
Copy Code New-RoleGroup <role group name> -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign Active Directory domain controller> -LinkedCredential $ForeignCredential -RecipientOrganizationalUnitScope <OU name> -Roles <role1, role2, role3...>
- Add or remove members to or from the foreign USG using Active
Directory Users and Computers on a computer in the foreign Active
Directory forest.
This example does the following:
- Retrieves the credentials for the users.contoso.com foreign
Active Directory forest. These credentials are used to connect to
the DC01.users.contoso.com domain controller in the foreign
forest.
- Creates a linked role group called Executives Compliance Role
Group in the resource forest where Exchange 2010 is installed.
- Links the new role group to the Executives Compliance
Administrators USG in the users.contoso.com foreign Active
Directory forest.
- Assigns the Transport Rules and Journaling management roles to
the new linked role group with the OU recipient scope Executives
OU.
Copy Code | |
---|---|
$ForeignCredential = Get-Credential New-RoleGroup "Executives Compliance Role Group" -LinkedForeignGroup "Executives Compliance Administrators" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential -RecipientOrganizationalUnitScope "Executives OU" -Roles "Transport Rules", "Journaling" |
For more information about management scopes, see Understanding Management Role Scopes.
For detailed syntax and parameter information, see New-RoleGroup.
Other Tasks
After you create a linked role group, you may also want to: