Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2011-03-19
Management role entries on a management role determine what cmdlets and parameters are available on a management role. By removing role entries or parameters on a role entry, you can restrict what users assigned the management role can perform. For more information about management role entries in Microsoft Exchange Server 2010, see Understanding Management Roles.
You must use the Shell to remove role entries from a role.
Looking for other management tasks related to roles? Check out Managing Advanced Permissions.
What Do You Want to Do?
- Use the Shell to remove a single
entire role entry from a role
- Use the Shell to remove multiple
entire role entries from a role
- Use the Shell to remove
parameters from a role entry on a role
Note: You can't use the EMC to remove a role entry from a role.
Remove a single entire role entry from a role
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management role entries" entry in the Role Management Permissions topic.
When you remove a role entry from a role, you remove the ability for users assigned that role to access the associated cmdlet or script.
Use the following syntax to remove an entire management role entry from a role.
Copy Code | |
---|---|
Remove-ManagementRoleEntry <management role>\<management role entry> |
This example removes the Enable-MailUser cmdlet from the Seattle Server Administrators role.
Copy Code | |
---|---|
Remove-ManagementRoleEntry "Seattle Server Administrators\Enable-MailUser" |
For detailed syntax and parameter information, see Remove-ManagementRoleEntry.
Remove multiple entire role entries from a role
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management role entries" entry in the Role Management Permissions topic.
When you remove multiple role entries from a role, you remove the ability for users assigned that role to access the associated cmdlets or scripts.
To remove multiple role entries from a role, you need to retrieve the list of role entries to remove using the Get-ManagementRoleEntry cmdlet. Then you need to pipe the output to the Remove-ManagementRoleEntry cmdlet. You can use wildcard characters with the Get-ManagementRoleEntry cmdlet to match multiple role entries. It's a good idea to use the WhatIf switch to verify that you're removing the correct role entries. Use the following syntax.
Copy Code | |
---|---|
Get-ManagementRoleEntry <management role>\<role entry with wildcard character> | Remove-ManagementRoleEntry -WhatIf |
This example removes all the role entries that contain the word journal from the Seattle Server Administrators role.
Copy Code | |
---|---|
Get-ManagementRoleEntry "Seattle Server Administrators\*Journal*" | Remove-ManagementRoleEntry -WhatIf |
When you run the command with the WhatIf switch, the cmdlet returns a list of all the role entries that would be removed. If the list looks correct, run the command again without the WhatIf switch to remove the role entries.
Copy Code | |
---|---|
Get-ManagementRoleEntry "Seattle Server Administrators\*Journal*" | Remove-ManagementRoleEntry |
For detailed syntax and parameter information, see Get-ManagementRoleEntry and Remove-ManagementRoleEntry.
Remove parameters from a role entry on a role
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management role entries" entry in the Role Management Permissions topic.
When you remove parameters from a role entry on a role, those parameters are no longer available to users assigned the role.
Use the following syntax to remove parameters from a role entry.
Copy Code | |
---|---|
Set-ManagementRoleEntry <management role>\<role entry> -Parameters <parameter 1>,<parameter 2...> -RemoveParameter |
This example removes the MaxSafeSenders, MaxSendSize, SecondaryAddress, and UseDatabaseQuotaDefaults parameters from the Set-Mailbox role entry on the Seattle Server Administrators role.
Copy Code | |
---|---|
Set-ManagementRoleEntry "Seattle Server Adminstrators\Set-Mailbox" -Parameters MaxSafeSenders,MaxSendSize,SecondaryAddress,UseDatabaseQuotaDefaults -RemoveParameter |
For detailed syntax and parameter information, see Set-ManagementRoleEntry.