Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
Using linked management role groups in Microsoft Exchange Server 2010, you can link a role group in an Exchange 2010 resource forest with a universal security group (USG) in a foreign user forest. This is useful when you want administrators with accounts in the user forest to manage the servers running Exchange in the resource forest. For more information about linked role groups, see Understanding Management Role Groups.
By default, Exchange 2010 includes a number of built-in role groups that provide you with permissions to manage a variety of features and job functions. Each role group is tailored to provide specific permissions for each feature and job function. However, these role groups can't be linked to USGs in a foreign forest. They can only contain users and USGs from the local resource forest. Fortunately, it's possible to replicate these built-in role groups using linked role groups.
You can re-create each built-in role group as a linked role group. All of the management roles and management scopes assigned to each role group are added to the new linked role group. For more information about management roles and scopes, see the following topics:
Looking for other management tasks related to role groups? Check out Managing Administrator and Specialist Users.
Prerequisites
- Configuring a linked role group requires a one-way trust
between the resource Active Directory forest in which the linked
role group will reside, and the foreign Active Directory forest
where the users or USGs reside. The resource forest must trust the
foreign forest.
- You must have the following information about the foreign
Active Directory forest:
- Credentials You must have a user name
and password that can access the foreign Active Directory forest.
This information is used with the LinkedCredential parameter
on the New-RoleGroup cmdlet. This information is obtained by
running the Get-Credential cmdlet. The format of the user
name is domain\username.
- Domain controller You must have the
fully qualified domain name (FQDN) of an Active Directory domain
controller in the foreign Active Directory forest. This information
is used with the LinkedDomainController parameter on the
New-RoleGroup cmdlet.
- Foreign USG You must have the full name
of a USG in the foreign Active Directory forest that contains the
members you want to associate with the linked role group. This
information is used with the LinkedForeignGroup parameter on
the New-RoleGroup cmdlet.
- Credentials You must have a user name
and password that can access the foreign Active Directory forest.
This information is used with the LinkedCredential parameter
on the New-RoleGroup cmdlet. This information is obtained by
running the Get-Credential cmdlet. The format of the user
name is domain\username.
Use the Shell to create linked role groups that replicate built-in role groups
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
Note: |
---|
You can't use the EMC to create linked role groups that replicate built-in role groups. |
Each of the following sections shows you how to re-create each role group as a linked role group. Complete the procedures in each section to re-create all of the built-in role groups as linked role groups.
Create the Organization Management linked role group
To re-create the Organization Management role group as a linked role group, you perform a procedure that's different than the procedure used to re-create other built-in role groups. This is because the Organization Management role group has delegating role assignments between it and all of the management roles. Re-creating the delegating role assignments requires an additional step.
- Create a USG in the foreign forest that will be linked to the
Organization Management role group.
- Store the foreign Active Directory forest credentials in a
variable.
Copy Code $ForeignCredential = Get-Credential
- Store all of the roles assigned to the Organization Management
role group in a variable.
Copy Code $OrgMgmt = Get-RoleGroup "Organization Management"
- Create the Organization Management linked role group and add
the roles assigned to the built-in Organization Management role
group.
Copy Code New-RoleGroup "Organization Management - Linked" -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign ExADNoMk domain controller> -LinkedCredential $ForeignCredential -Roles $OrgMgmt.Roles
- Remove all of the regular assignments between the new
Organization Management linked role group and the My* end-user
roles.
Copy Code Get-ManagementRoleAssignment -RoleAssignee "Organization Management - Linked" -Role My* | Remove-ManagementRoleAssignment
- Add delegating role assignments between the new Organization
Management linked role group and all management roles.
Copy Code Get-ManagementRole | New-ManagementRoleAssignment -SecurityGroup "Organization Management - Linked" -Delegating
This example assumes the following values are used for each parameter:
- LinkedForeignGroup
Organization Management Administrators
-
LinkedDomainController
DC01.users.contoso.com
Using the preceding values, this example re-creates the Organization Management role group as a linked role group.
Copy Code | |
---|---|
$ForeignCredential = Get-Credential $OrgMgmt = Get-RoleGroup "Organization Management" New-RoleGroup "Organization Management - Linked" -LinkedForeignGroup "Organization Management Administrators" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential -Roles $OrgMgmt.Roles Get-ManagementRoleAssignment -RoleAssignee "Organization Management - Linked" -Role My* | Remove-ManagementRoleAssignment Get-ManagementRole | New-ManagementRoleAssignment -SecurityGroup "Organization Management - Linked" -Delegating |
Create all other linked role groups
To re-create the built-in role groups (other than the Organization Management role group) as linked role groups, use the following procedure for each group.
- Create a USG in the foreign forest for each role group that
will be linked to each new role group.
- Store the foreign Active Directory forest credentials in a
variable. You only need to do this once.
Copy Code $ForeignCredential = Get-Credential
- Retrieve a list of role groups using the following cmdlet.
Copy Code Get-RoleGroup
- For each role group, other than the Organization Management
role group, do the following.
Copy Code $RoleGroup = Get-RoleGroup <name of role group to re-create> New-RoleGroup "<role group name> - Linked" -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign Active Directory domain controller> -LinkedCredential $ForeignCredential -Roles $RoleGroup.Roles
- Repeat the preceding step for each built-in role group you want
to re-create as a linked role group.
This example assumes the following values are used for each parameter:
-
LinkedDomainController
DC01.users.contoso.com
- Built-in role groups to be re-created as linked role
groups
Recipient Management, Server Management
- Foreign group for Recipient Management linked role
group
Recipient Management Administrators
- Foreign group for Server Management linked role
group
Server Management Administrators
Using the preceding values, this example re-creates the Recipient Management and Server Management role groups as linked role groups.
Copy Code | |
---|---|
$ForeignCredential = Get-Credential Get-RoleGroup $RoleGroup = Get-RoleGroup "Recipient Management" New-RoleGroup "Recipient Management - Linked" -LinkedForeignGroup "Recipient Management Administrators" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential -Roles $RoleGroup.Roles $RoleGroup = Get-RoleGroup "Server Management" New-RoleGroup "Server Management - Linked" -LinkedForeignGroup "Server Management Administrators" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential -Roles $RoleGroup.Roles |
Other Tasks
After you create linked role groups, you may also want to:
- Add members to the foreign USGs using Active Directory Users
and Computers in the foreign forest.
- Remove members of built-in role groups. For more information,
see Remove
Members from a Role Group.
- Add additional roles to the new linked role groups. For more
information, see Add a Role to a Role
Group.
- Remove roles from the new linked role groups. For more
information, see Remove a Role from a
Role Group.
- Change the scopes of role assignments between the new linked
role groups and management roles. For more information, see
Change the Scope
of Role Assignments to a Role Group.
- Create additional linked role groups. For more information, see
Create a Linked
Role Group.