Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-11-19
Use the Get-ManagementRoleAssignment cmdlet to retrieve management role assignments.
Syntax
Get-ManagementRoleAssignment [-Identity
<RoleAssignmentIdParameter>] [-ConfigWriteScope <None |
NotApplicable | OrganizationConfig | CustomConfigScope |
PartnerDelegatedTenantScope | ExclusiveConfigScope>]
[-CustomConfigWriteScope <ManagementScopeIdParameter>]
[-CustomRecipientWriteScope <ManagementScopeIdParameter>]
[-Delegating <$true | $false>] [-DomainController
<Fqdn>] [-Enabled <$true | $false>] [-Exclusive
<$true | $false>] [-ExclusiveConfigWriteScope
<ManagementScopeIdParameter>] [-ExclusiveRecipientWriteScope
<ManagementScopeIdParameter>] [-GetEffectiveUsers
<SwitchParameter>] [-Organization
<OrganizationIdParameter>] [-RecipientOrganizationalUnitScope
<OrganizationalUnitIdParameter>] [-RecipientWriteScope
<None | NotApplicable | Organization | MyGAL | Self |
MyDirectReports | OU | CustomRecipientScope | MyDistributionGroups
| MyExecutive | ExclusiveRecipientScope | MailboxICanDelegate>]
[-RoleAssigneeType <User | SecurityGroup | RoleAssignmentPolicy
| MailboxPlan | ForeignSecurityPrincipal | RoleGroup |
LinkedRoleGroup | Computer | PartnerLinkedRoleGroup>]
[-WritableDatabase <DatabaseIdParameter>] [-WritableRecipient
<GeneralRecipientIdParameter>] [-WritableServer
<ServerIdParameter>]
|
Get-ManagementRoleAssignment [-AssignmentMethod
<AssignmentMethod[]>] [-ConfigWriteScope <None |
NotApplicable | OrganizationConfig | CustomConfigScope |
PartnerDelegatedTenantScope | ExclusiveConfigScope>]
[-CustomConfigWriteScope <ManagementScopeIdParameter>]
[-CustomRecipientWriteScope <ManagementScopeIdParameter>]
[-Delegating <$true | $false>] [-DomainController
<Fqdn>] [-Enabled <$true | $false>] [-Exclusive
<$true | $false>] [-ExclusiveConfigWriteScope
<ManagementScopeIdParameter>] [-ExclusiveRecipientWriteScope
<ManagementScopeIdParameter>] [-GetEffectiveUsers
<SwitchParameter>] [-Organization
<OrganizationIdParameter>] [-RecipientOrganizationalUnitScope
<OrganizationalUnitIdParameter>] [-RecipientWriteScope
<None | NotApplicable | Organization | MyGAL | Self |
MyDirectReports | OU | CustomRecipientScope | MyDistributionGroups
| MyExecutive | ExclusiveRecipientScope | MailboxICanDelegate>]
[-Role <RoleIdParameter>] [-RoleAssignee
<RoleAssigneeIdParameter>] [-RoleAssigneeType <User |
SecurityGroup | RoleAssignmentPolicy | MailboxPlan |
ForeignSecurityPrincipal | RoleGroup | LinkedRoleGroup | Computer |
PartnerLinkedRoleGroup>] [-WritableDatabase
<DatabaseIdParameter>] [-WritableRecipient
<GeneralRecipientIdParameter>] [-WritableServer
<ServerIdParameter>]
|
Detailed Description
You can retrieve role assignments in a variety of ways including by assignment type, scope type, or name, and whether the assignment is enabled or disabled. You can also view a list of role assignments that provide access to a specified recipient, server, or database.
For more information about management role assignments, see Understanding Management Role Assignments.
You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.
Parameters
Parameter | Required | Type | Description |
---|---|---|---|
Identity |
Optional |
Microsoft.Exchange.Configuration.Tasks.RoleAssignmentIdParameter |
The Identity parameter specifies the name of the role assignment to retrieve. If the name of the role assignment contains spaces, enclose it in quotation marks ("). If the RoleAssignee parameter is used, you can't use the Identity parameter. |
AssignmentMethod |
Optional |
Microsoft.Exchange.Data.Directory.SystemConfiguration.AssignmentMethod[] |
The AssignmentMethod parameter specifies the type of role assignment to include in the results returned by the cmdlet. You can specify one or more of the following values:
If you provide more than one value, separate each value with a comma. You must specify a value with the RoleAssignee parameter if you use the AssignmentMethod parameter. |
ConfigWriteScope |
Optional |
Microsoft.Exchange.Data.Directory.SystemConfiguration.ConfigWriteScopeType |
The ConfigWriteScope parameter specifies the type of
management configuration scope to include in the results returned
by the cmdlet. The valid values are |
CustomConfigWriteScope |
Optional |
Microsoft.Exchange.Configuration.Tasks.ManagementScopeIdParameter |
The CustomConfigWriteScope parameter returns only the regular role assignments that include the specified configuration-based regular scope. This parameter can only be used to retrieve regular configuration-based scopes. To retrieve a list of exclusive configuration-based scopes, use the ExclusiveConfigWriteScope parameter instead. If the scope name contains spaces, enclose it in quotation marks ("). |
CustomRecipientWriteScope |
Optional |
Microsoft.Exchange.Configuration.Tasks.ManagementScopeIdParameter |
The CustomRecipientWriteScope parameter returns only the regular role assignments that include the specified recipient-based regular scope. This parameter can only be used to retrieve regular recipient-based scopes. To retrieve a list of exclusive recipient-based scopes, use the ExclusiveRecipientWriteScope parameter instead. If the scope name contains spaces, enclose it in quotation marks ("). |
Delegating |
Optional |
System.Boolean |
The Delegating parameter specifies whether delegating or regular role assignments should be returned. By default, both delegating and regular scopes are returned. To
return only delegating role assignments, specify a value of
|
DomainController |
Optional |
Microsoft.Exchange.Data.Fqdn |
The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory. |
Enabled |
Optional |
System.Boolean |
The Enabled parameter specifies whether enabled or
disabled role assignments should be returned. To return enabled
role assignments, specify a value of |
Exclusive |
Optional |
System.Boolean |
The Exclusive parameter specifies whether exclusive or regular role assignments should be returned. By default, both exclusive and regular scopes are returned. To
return only exclusive role assignments, specify a value of
|
ExclusiveConfigWriteScope |
Optional |
Microsoft.Exchange.Configuration.Tasks.ManagementScopeIdParameter |
The ExclusiveConfigWriteScope parameter returns only the exclusive role assignments that include the specified configuration-based exclusive scope. This parameter can only be used to retrieve exclusive configuration-based scopes. To retrieve a list of regular configuration-based scopes, use the CustomConfigWriteScope parameter instead. If the scope name contains spaces, enclose it in quotation marks ("). |
ExclusiveRecipientWriteScope |
Optional |
Microsoft.Exchange.Configuration.Tasks.ManagementScopeIdParameter |
The ExclusiveRecipientWriteScope parameter returns only the exclusive role assignments that include the specified recipient-based exclusive scope. This parameter can only be used to retrieve exclusive recipient-based scopes. To retrieve a list of regular recipient-based scopes, use the CustomRecipientWriteScope parameter instead. If the scope name contains spaces, enclose it in quotation marks ("). |
GetEffectiveUsers |
Optional |
System.Management.Automation.SwitchParameter |
The GetEffectiveUsers switch specifies that the command should show the list of users in the role groups, assignment policies, or USGs associated with a role assignment. The users are effectively assigned the role assignment through their role group, assignment policy, or USG. |
Organization |
Optional |
Microsoft.Exchange.Configuration.Tasks.OrganizationIdParameter |
This parameter is available for multi-tenant deployments. It isn't available for on-premises deployments. For more information about multi-tenant deployments, see Multi-Tenant Support. The Organization parameter specifies the organization in which you'll perform this action. This parameter doesn't accept wildcard characters, and you must use the exact name of the organization. |
RecipientOrganizationalUnitScope |
Optional |
Microsoft.Exchange.Configuration.Tasks.OrganizationalUnitIdParameter |
The RecipientOrganizationalUnitScope parameter returns only the role assignments that include the specified organizational unit (OU). If the OU tree contains spaces, enclose it in quotation marks ("). |
RecipientWriteScope |
Optional |
Microsoft.Exchange.Data.Directory.SystemConfiguration.RecipientWriteScopeType |
The RecipientWriteScope parameter returns only the role
assignments associated with the recipient scope restriction type
specified. The valid values are |
Role |
Optional |
Microsoft.Exchange.Configuration.Tasks.RoleIdParameter |
The Role parameter returns only the role assignments associated with the specified management role. If the name of the role contains spaces, enclose it in quotation marks ("). |
RoleAssignee |
Optional |
Microsoft.Exchange.Configuration.Tasks.RoleAssigneeIdParameter |
The RoleAssignee parameter specifies the role group, assignment policy, user, or universal security group (USG) for which you want to view role assignments. If the RoleAssignee parameter is used, you can't use the Identity parameter. By default, the command returns both direct role assignments to the role assignee, and indirect role assignments granted to a role assignee through role groups or assignment policies. If the name of the user or USG contains spaces, enclose it in quotation marks ("). |
RoleAssigneeType |
Optional |
Microsoft.Exchange.Data.Directory.SystemConfiguration.RoleAssigneeType |
The RoleAssigneeType parameter specifies the type of role
assignee to return. The valid values are |
WritableDatabase |
Optional |
Microsoft.Exchange.Configuration.Tasks.DatabaseIdParameter |
The WritableDatabase parameter specifies the database object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment. If the database name contains spaces, enclose it in quotation marks ("). If this parameter is used with the GetEffectiveUsers switch, all the users who can modify the database object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users, and USGs directly assigned the role assignment are returned. |
WritableRecipient |
Optional |
Microsoft.Exchange.Configuration.Tasks.GeneralRecipientIdParameter |
The WritableRecipient parameter specifies the recipient object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment. If the recipient name contains spaces, enclose it in quotation marks ("). If this parameter is used with the GetEffectiveUsers switch, all of the users who can modify the recipient object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users, and USGs directly assigned the role assignment are returned. |
WritableServer |
Optional |
Microsoft.Exchange.Configuration.Tasks.ServerIdParameter |
The WritableServer parameter specifies the server object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment. If the server object name contains spaces, enclose it in quotation marks ("). If this parameter is used with the GetEffectiveUsers switch, all of the users who can modify the server object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users, and USGs directly assigned the role assignment are returned. |
Input Types
To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.
Return Types
To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.
Examples
EXAMPLE 1
This example retrieves the Denver Help Desk role assignment using the Get-ManagementRoleAssignment cmdlet and pipes the output to the Format-List cmdlet. For more information about the Format-List cmdlet, see Working with Command Output.
Copy Code | |
---|---|
Get-ManagementRoleAssignment "Denver Help Desk" | Format-List |
EXAMPLE 2
This example retrieves all the role assignments that are enabled and have been designated as delegating role assignments.
Copy Code | |
---|---|
Get-ManagementRoleAssignment -Enabled $True -Delegating $True |
EXAMPLE 3
This example retrieves all the role assignments that
include the MyGAL
recipient-based scope restriction
type.
Copy Code | |
---|---|
Get-ManagementRoleAssignment -RecipientWriteScope MyGAL |
EXAMPLE 4
This example retrieves all the role assignments associated with the Organization Management management role.
Copy Code | |
---|---|
Get-ManagementRoleAssignment -Role "Mail Recipients" |
EXAMPLE 5
This example retrieves a list of all the users and the role assignments that can modify the recipient Bob.
Copy Code | |
---|---|
Get-ManagementRoleAssignment -WritableRecipient Bob -GetEffectiveUsers |
EXAMPLE 6
This example retrieves a list of all exclusive scopes that can modify server objects that match Redmond Executive Servers. The command also lists the users who are effectively assigned the role assignments through role groups or USGs.
Copy Code | |
---|---|
Get-ManagementRoleAssignment -ExclusiveConfigWriteScope "Redmond Executive Servers" -GetEffectiveUsers |
EXAMPLE 7
This example retrieves all the role assignments that can modify the database Contoso Sales.
Copy Code | |
---|---|
Get-ManagementRoleAssignment -WritableDatabase "Contoso Sales" |