Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2011-03-19
You can change the universal security group (USG), which is located in a foreign Active Directory forest associated with a linked management role group. This can be useful if the original foreign USG is being removed, and you need to transition to a new USG. For more information about linked role groups, see Understanding Management Role Groups.
Looking for other management tasks related to administrators and specialist users? Check out Managing Administrator and Specialist Users.
- Credentials You must have a user name
and password that can access the foreign Active Directory forest.
This information is used with the LinkedCredential parameter
on the Set-RoleGroup cmdlet.
- Domain controller You must have the
fully qualified domain name (FQDN) of an Active Directory domain
controller in the foreign Active Directory forest. This information
is used with the LinkedDomainController parameter on the
- Foreign USG You must have the full name
of a USG in the foreign Active Directory forest that contains the
members you want to associate with the linked role group. This
information is used with the LinkedForeignGroup parameter on
the Set-RoleGroup cmdlet.
Use the Shell to change the foreign USG on a linked role group
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
|You can't use the EMC to change the foreign USG on a linked role group.|
To change the foreign USG associated with a linked role group, do the following:
- Store the foreign Active Directory forest credentials in a
$ForeignCredential = Get-Credential
- Create the new linked role group using the following
Set-RoleGroup <role group name> -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign Active Directory domain controller> -LinkedCredential $ForeignCredential
This example does the following:
- Retrieves the credentials for the users.contoso.com foreign
Active Directory forest. These credentials are used to connect to
the DC01.users.contoso.com domain controller in the foreign
- Changes the foreign USG on the Compliance Role Group role group
to Regulatory Compliance Officers.
$ForeignCredential = Get-Credential Set-RoleGroup "Compliance Role Group" -LinkedForeignGroup "Regulatory Compliance Officers" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential
For detailed syntax and parameter information, see Set-RoleGroup.
After you change the foreign USG on a linked role group, you may also want to: