Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-03-19

Each management role entry on a management role represents a single cmdlet. By adding parameters to or removing parameters from a role entry, which is then added to a management role, you control whether those parameters are available on that cmdlet. For more information about management role entries in Microsoft Exchange Server 2010, see Understanding Management Roles.

You can't modify the role entries on built-in management roles.

You must use the Shell to add or remove parameters from a role entry.

Note:
This topic doesn't discuss how to modify unscoped management role entries on an unscoped management role. For more information about how to modify unscoped role entries, see Create a Role.
Caution:
To add or remove parameters from a role entry, you must use the AddParameter or RemoveParameter parameters. If you omit the AddParameter or RemoveParameter parameter when you run the Set-ManagementRoleEntry cmdlet, only the parameters you specify using the Parameters parameter will be included in the role entry. All other parameters on the role entry will be removed.

Looking for other management tasks related to roles? Check out Managing Advanced Permissions.

Prerequisites

  • If you want to add parameters to a role entry, the parameters you add must exist in the role entry in the parent role.

  • The parameters must also exist on the cmdlet you specify.

  • If you want to remove parameters from a role entry, the parameters you remove can't exist in the role entries of any child roles. You must remove the parameters from the role entries of the child roles. Use the "Use the Shell to remove one or more parameters from a role entry" procedure later in this topic to remove the parameters from the role entries of all child roles.

What Do You Want to Do?

Use the Shell to add one or more parameters to a role entry

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management role entries" entry in the Role Management Permissions topic.

To add parameters to a role entry, you need to specify the parameters you want to add using the Parameters parameter. You then need to specify the AddParameter parameter to indicate that you want to perform an add operation.

To add parameters to a role entry, use the following syntax.

Copy Code
Set-ManagementRoleEntry <role name>\<cmdlet> -Parameters <parameter 1>, <parameter 2>, <parameter...> -AddParameter

This example adds the EmailAddresses and Type parameters to the Set-Mailbox cmdlet on the Recipient Administrators role.

Copy Code
Set-ManagementRoleEntry "Recipient Administrators\Set-Mailbox" -Parameters EmailAddresses, Type -AddParameter

For detailed syntax and parameter information, see Set-ManagementRoleEntry.

Use the Shell to remove one or more parameters from a role entry

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management role entries" entry in the Role Management Permissions topic.

To remove parameters from a role entry, you need to specify the parameters you want to remove using the Parameters parameter. You then need to specify the RemoveParameter parameter to indicate that you want to perform a remove operation.

To remove parameters from a role entry, use the following syntax.

Copy Code
Set-ManagementRoleEntry <role name>\<cmdlet> -Parameters <parameter 1>, <parameter 2>, <parameter...> -RemoveParameter

This example removes the Port, ProtocolLoggingLevel, and SmartHostAuthMechanism parameters from the Set-SendConnector cmdlet on the Tier 1 Server Administrators role.

Copy Code
Set-ManagementRoleEntry "Tier 1 Server Administrators\Set-SendConnector" -Parameters Port, ProtocolLoggingLevel, SmartHostAuthMechanism -RemoveParameter

For detailed syntax and parameter information, see Set-ManagementRoleEntry.

Use the Shell to remove all parameters from a role entry

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management role entries" entry in the Role Management Permissions topic.

To remove all the parameters from a role entry, you need to specify the value $Null on the Parameters parameter. You don't need to include the RemoveParameters parameter.

Removing all the parameters from a role entry is most useful when you want to make only a few parameters available on a cmdlet and exclude all of the other parameters. If you don't want the role to have access to a cmdlet, remove the associated role entry from the role completely instead of just removing the parameters. For more information about how to remove a role entry from a role, see Remove a Role Entry from a Role.

Caution:
You can't undo remove operations. If you mistakenly remove all the parameters from a role entry, you must add them again manually.

To remove all the parameters from a role entry, use the following syntax.

Copy Code
Set-ManagementRoleEntry <role name>\<cmdlet> -Parameters $Null 

This example removes all the parameters from the Set-CasMailbox cmdlet on the Recipient Administrators role.

Copy Code
Set-ManagementRoleEntry "Recipient Administrators\Set-CasMailbox" -Parameters $Null 

For detailed syntax and parameter information, see Set-ManagementRoleEntry.

Use the Shell to apply a specific set of parameters

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management role entries" entry in the Role Management Permissions topic.

If you want only a specific set of parameters to be included on a role entry, specify the Parameters parameter only. Don't include the AddParameter or RemoveParameter parameters. When you specify only the Parameters parameter, only the parameters you specify in the command are included on the role entry. All other parameters are removed.

To specify a specific set of parameters, use the following syntax.

Copy Code
Set-ManagementRoleEntry <role name>\<cmdlet> -Parameters <parameter 1>, <parameter 2>, <parameter...>

This example includes only the Identity, DisplayName, MissedCallNotificationEnabled, and PersonalAuthAttendantEnabled parameters on the Set-UMMailbox cmdlet on the Seattle Mail Recipients role.

Copy Code
Set-ManagementRoleEntry "Seattle Mail Recipients\Set-UMMailbox" -Parameters Identity, DisplayName, MissedCallNotificationEnabled, PersonalAutoAttendantEnabled

For detailed syntax and parameter information, see Set-ManagementRoleEntry.