Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-11-19

Use the Get-ManagementRoleAssignment cmdlet to retrieve management role assignments.

Syntax

Get-ManagementRoleAssignment [-Identity <RoleAssignmentIdParameter>] [-ConfigWriteScope <None | NotApplicable | OrganizationConfig | CustomConfigScope | PartnerDelegatedTenantScope | ExclusiveConfigScope>] [-CustomConfigWriteScope <ManagementScopeIdParameter>] [-CustomRecipientWriteScope <ManagementScopeIdParameter>] [-Delegating <$true | $false>] [-DomainController <Fqdn>] [-Enabled <$true | $false>] [-Exclusive <$true | $false>] [-ExclusiveConfigWriteScope <ManagementScopeIdParameter>] [-ExclusiveRecipientWriteScope <ManagementScopeIdParameter>] [-GetEffectiveUsers <SwitchParameter>] [-Organization <OrganizationIdParameter>] [-RecipientOrganizationalUnitScope <OrganizationalUnitIdParameter>] [-RecipientWriteScope <None | NotApplicable | Organization | MyGAL | Self | MyDirectReports | OU | CustomRecipientScope | MyDistributionGroups | MyExecutive | ExclusiveRecipientScope | MailboxICanDelegate>] [-RoleAssigneeType <User | SecurityGroup | RoleAssignmentPolicy | MailboxPlan | ForeignSecurityPrincipal | RoleGroup | LinkedRoleGroup | Computer | PartnerLinkedRoleGroup>] [-WritableDatabase <DatabaseIdParameter>] [-WritableRecipient <GeneralRecipientIdParameter>] [-WritableServer <ServerIdParameter>]
Get-ManagementRoleAssignment [-AssignmentMethod <AssignmentMethod[]>] [-ConfigWriteScope <None | NotApplicable | OrganizationConfig | CustomConfigScope | PartnerDelegatedTenantScope | ExclusiveConfigScope>] [-CustomConfigWriteScope <ManagementScopeIdParameter>] [-CustomRecipientWriteScope <ManagementScopeIdParameter>] [-Delegating <$true | $false>] [-DomainController <Fqdn>] [-Enabled <$true | $false>] [-Exclusive <$true | $false>] [-ExclusiveConfigWriteScope <ManagementScopeIdParameter>] [-ExclusiveRecipientWriteScope <ManagementScopeIdParameter>] [-GetEffectiveUsers <SwitchParameter>] [-Organization <OrganizationIdParameter>] [-RecipientOrganizationalUnitScope <OrganizationalUnitIdParameter>] [-RecipientWriteScope <None | NotApplicable | Organization | MyGAL | Self | MyDirectReports | OU | CustomRecipientScope | MyDistributionGroups | MyExecutive | ExclusiveRecipientScope | MailboxICanDelegate>] [-Role <RoleIdParameter>] [-RoleAssignee <RoleAssigneeIdParameter>] [-RoleAssigneeType <User | SecurityGroup | RoleAssignmentPolicy | MailboxPlan | ForeignSecurityPrincipal | RoleGroup | LinkedRoleGroup | Computer | PartnerLinkedRoleGroup>] [-WritableDatabase <DatabaseIdParameter>] [-WritableRecipient <GeneralRecipientIdParameter>] [-WritableServer <ServerIdParameter>]

Detailed Description

You can retrieve role assignments in a variety of ways including by assignment type, scope type, or name, and whether the assignment is enabled or disabled. You can also view a list of role assignments that provide access to a specified recipient, server, or database.

For more information about management role assignments, see Understanding Management Role Assignments.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

Parameters

Parameter Required Type Description

Identity

Optional

Microsoft.Exchange.Configuration.Tasks.RoleAssignmentIdParameter

The Identity parameter specifies the name of the role assignment to retrieve. If the name of the role assignment contains spaces, enclose it in quotation marks ("). If the RoleAssignee parameter is used, you can't use the Identity parameter.

AssignmentMethod

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.AssignmentMethod[]

The AssignmentMethod parameter specifies the type of role assignment to include in the results returned by the cmdlet. You can specify one or more of the following values:

  • Direct

  • SecurityGroup

  • RoleGroup

  • RoleAssignmentPolicy

If you provide more than one value, separate each value with a comma.

You must specify a value with the RoleAssignee parameter if you use the AssignmentMethod parameter.

ConfigWriteScope

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.ConfigWriteScopeType

The ConfigWriteScope parameter specifies the type of management configuration scope to include in the results returned by the cmdlet. The valid values are None, OrganizationConfig, CustomConfigScope, and ExclusiveConfigScope.

CustomConfigWriteScope

Optional

Microsoft.Exchange.Configuration.Tasks.ManagementScopeIdParameter

The CustomConfigWriteScope parameter returns only the regular role assignments that include the specified configuration-based regular scope.

This parameter can only be used to retrieve regular configuration-based scopes. To retrieve a list of exclusive configuration-based scopes, use the ExclusiveConfigWriteScope parameter instead.

If the scope name contains spaces, enclose it in quotation marks (").

CustomRecipientWriteScope

Optional

Microsoft.Exchange.Configuration.Tasks.ManagementScopeIdParameter

The CustomRecipientWriteScope parameter returns only the regular role assignments that include the specified recipient-based regular scope.

This parameter can only be used to retrieve regular recipient-based scopes. To retrieve a list of exclusive recipient-based scopes, use the ExclusiveRecipientWriteScope parameter instead.

If the scope name contains spaces, enclose it in quotation marks (").

Delegating

Optional

System.Boolean

The Delegating parameter specifies whether delegating or regular role assignments should be returned.

By default, both delegating and regular scopes are returned. To return only delegating role assignments, specify a value of $True. To return only regular role assignments, specify a value of $False.

DomainController

Optional

Microsoft.Exchange.Data.Fqdn

The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory.

Enabled

Optional

System.Boolean

The Enabled parameter specifies whether enabled or disabled role assignments should be returned. To return enabled role assignments, specify a value of $True. To return disabled role assignments, specify a value of $False.

Exclusive

Optional

System.Boolean

The Exclusive parameter specifies whether exclusive or regular role assignments should be returned.

By default, both exclusive and regular scopes are returned. To return only exclusive role assignments, specify a value of $True. To return only regular role assignments, specify a value of $False.

ExclusiveConfigWriteScope

Optional

Microsoft.Exchange.Configuration.Tasks.ManagementScopeIdParameter

The ExclusiveConfigWriteScope parameter returns only the exclusive role assignments that include the specified configuration-based exclusive scope.

This parameter can only be used to retrieve exclusive configuration-based scopes. To retrieve a list of regular configuration-based scopes, use the CustomConfigWriteScope parameter instead.

If the scope name contains spaces, enclose it in quotation marks (").

ExclusiveRecipientWriteScope

Optional

Microsoft.Exchange.Configuration.Tasks.ManagementScopeIdParameter

The ExclusiveRecipientWriteScope parameter returns only the exclusive role assignments that include the specified recipient-based exclusive scope.

This parameter can only be used to retrieve exclusive recipient-based scopes. To retrieve a list of regular recipient-based scopes, use the CustomRecipientWriteScope parameter instead.

If the scope name contains spaces, enclose it in quotation marks (").

GetEffectiveUsers

Optional

System.Management.Automation.SwitchParameter

The GetEffectiveUsers switch specifies that the command should show the list of users in the role groups, assignment policies, or USGs associated with a role assignment. The users are effectively assigned the role assignment through their role group, assignment policy, or USG.

Organization

Optional

Microsoft.Exchange.Configuration.Tasks.OrganizationIdParameter

This parameter is available for multi-tenant deployments. It isn't available for on-premises deployments. For more information about multi-tenant deployments, see Multi-Tenant Support.

The Organization parameter specifies the organization in which you'll perform this action. This parameter doesn't accept wildcard characters, and you must use the exact name of the organization.

RecipientOrganizationalUnitScope

Optional

Microsoft.Exchange.Configuration.Tasks.OrganizationalUnitIdParameter

The RecipientOrganizationalUnitScope parameter returns only the role assignments that include the specified organizational unit (OU). If the OU tree contains spaces, enclose it in quotation marks (").

RecipientWriteScope

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.RecipientWriteScopeType

The RecipientWriteScope parameter returns only the role assignments associated with the recipient scope restriction type specified. The valid values are None, MyGAL, Self, OU, CustomRecipientScope, MyDistributionGroups, and ExclusiveRecipientScope.

Role

Optional

Microsoft.Exchange.Configuration.Tasks.RoleIdParameter

The Role parameter returns only the role assignments associated with the specified management role. If the name of the role contains spaces, enclose it in quotation marks (").

RoleAssignee

Optional

Microsoft.Exchange.Configuration.Tasks.RoleAssigneeIdParameter

The RoleAssignee parameter specifies the role group, assignment policy, user, or universal security group (USG) for which you want to view role assignments. If the RoleAssignee parameter is used, you can't use the Identity parameter.

By default, the command returns both direct role assignments to the role assignee, and indirect role assignments granted to a role assignee through role groups or assignment policies.

If the name of the user or USG contains spaces, enclose it in quotation marks (").

RoleAssigneeType

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.RoleAssigneeType

The RoleAssigneeType parameter specifies the type of role assignee to return. The valid values are User, SecurityGroup, RoleAssignmentPolicy, ForeignSecurityPrincipal, RoleGroup, and LinkedRoleGroup.

WritableDatabase

Optional

Microsoft.Exchange.Configuration.Tasks.DatabaseIdParameter

The WritableDatabase parameter specifies the database object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment. If the database name contains spaces, enclose it in quotation marks (").

If this parameter is used with the GetEffectiveUsers switch, all the users who can modify the database object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users, and USGs directly assigned the role assignment are returned.

WritableRecipient

Optional

Microsoft.Exchange.Configuration.Tasks.GeneralRecipientIdParameter

The WritableRecipient parameter specifies the recipient object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment. If the recipient name contains spaces, enclose it in quotation marks (").

If this parameter is used with the GetEffectiveUsers switch, all of the users who can modify the recipient object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users, and USGs directly assigned the role assignment are returned.

WritableServer

Optional

Microsoft.Exchange.Configuration.Tasks.ServerIdParameter

The WritableServer parameter specifies the server object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment. If the server object name contains spaces, enclose it in quotation marks (").

If this parameter is used with the GetEffectiveUsers switch, all of the users who can modify the server object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users, and USGs directly assigned the role assignment are returned.

Input Types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

Return Types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.

Examples

EXAMPLE 1

This example retrieves the Denver Help Desk role assignment using the Get-ManagementRoleAssignment cmdlet and pipes the output to the Format-List cmdlet. For more information about the Format-List cmdlet, see Working with Command Output.

Copy Code
Get-ManagementRoleAssignment "Denver Help Desk" | Format-List

EXAMPLE 2

This example retrieves all the role assignments that are enabled and have been designated as delegating role assignments.

Copy Code
Get-ManagementRoleAssignment -Enabled $True -Delegating $True

EXAMPLE 3

This example retrieves all the role assignments that include the MyGAL recipient-based scope restriction type.

Copy Code
Get-ManagementRoleAssignment -RecipientWriteScope MyGAL

EXAMPLE 4

This example retrieves all the role assignments associated with the Organization Management management role.

Copy Code
Get-ManagementRoleAssignment -Role "Mail Recipients"

EXAMPLE 5

This example retrieves a list of all the users and the role assignments that can modify the recipient Bob.

Copy Code
Get-ManagementRoleAssignment -WritableRecipient Bob -GetEffectiveUsers

EXAMPLE 6

This example retrieves a list of all exclusive scopes that can modify server objects that match Redmond Executive Servers. The command also lists the users who are effectively assigned the role assignments through role groups or USGs.

Copy Code
Get-ManagementRoleAssignment -ExclusiveConfigWriteScope "Redmond Executive Servers" -GetEffectiveUsers

EXAMPLE 7

This example retrieves all the role assignments that can modify the database Contoso Sales.

Copy Code
Get-ManagementRoleAssignment -WritableDatabase "Contoso Sales"