Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
Management role scopes determine what objects are made available to a user so that the objects can be changed using the cmdlets and parameters assigned to them. By adding a management scope, you can configure management role assignments so users can administer specific servers, databases, recipients, and other objects in your organization while being restricted from changing other objects.
Important: |
---|
When you create a regular or exclusive scope, you override the write scope that's defined on the management role you're assigning. You can't override the read scope that's configured on the management role. |
You can create a custom management scope and add or change a management role assignment. If you want to create a management role assignment with a prebuilt or organizational unit (OU) management scope, see Add a Role to a User or USG.
For more information about management role scopes and assignments in Microsoft Exchange Server 2010, see the following topics:
Looking for other management tasks related to scopes? Check out Managing Advanced Permissions.
Step 1: Create a custom scope
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management roles" entry in the Role Management Permissions topic.
Note: |
---|
You can't use the EMC to create a custom scope. |
To create a custom scope, choose one of the following types of scopes.
Recipient filter scope
Recipient filter-based scopes are created by using the RecipientRestrictionFilter parameter on the New-ManagementScope cmdlet. When you create a recipient filter, in addition to the recipient properties to filter, you can specify the OU in which the filter query runs. When you specify a base OU, you further restrict the write scope of the role.
For more information about management scope filters, see Understanding Management Role Scope Filters.
Use the following syntax to create a domain restriction filter scope with a base OU.
Copy Code | |
---|---|
New-ManagementScope -Name <scope name> -RecipientRestrictionFilter <filter query> [-RecipientRoot <OU>] |
This example creates a scope that includes all mailboxes within the contoso.com/Sales OU.
Copy Code | |
---|---|
New-ManagementScope -Name "Mailboxes in Sales OU" -RecipientRestrictionFilter { RecipientType -eq 'UserMailbox' } -RecipientRoot "contoso.com/Sales OU" |
Note: |
---|
You can omit the RecipientRoot parameter if you want the filter to apply to the entire implicit read scope of the management role and not just within a specific OU. |
For detailed syntax and parameter information, see New-ManagementScope.
Server filter configuration scope
Server filter-based configuration scopes are created by using the ServerRestrictionFilter parameter on the New-ManagementScope cmdlet. A server filter enables you to create a scope that applies only to the servers that match the filter you specify.
For more information about management scope filters and for a list of filterable server properties, see Understanding Management Role Scope Filters.
Use the following syntax to create a server filter scope.
Copy Code | |
---|---|
New-ManagementScope -Name <scope name> -ServerRestrictionFilter <filter query> |
This example creates a scope that includes all the servers within the 'CN=Redmond,CN=Sites,CN=Configuration,DC=contoso,DC=com' AD (Active Directory) site.
Copy Code | |
---|---|
New-ManagementScope -Name "Servers in Seattle AD site" -ServerRestrictionFilter { ServerSite -eq 'CN=Redmond,CN=Sites,CN=Configuration,DC=contoso,DC=com' } |
For detailed syntax and parameter information, see New-ManagementScope.
Server list configuration scope
Server list-based configuration scopes are created by using the ServerList parameter on the New-ManagementScope cmdlet. A server list scope enables you to create a scope that applies only to the servers you specify in a list.
Use the following syntax to create a server list scope.
Copy Code | |
---|---|
New-ManagementScope -Name <scope name> -ServerList <server 1>, <server 2...> |
This example creates a scope that applies only to MBX1, MBX3, and MBX5.
Copy Code | |
---|---|
New-ManagementScope -Name "Mailbox servers" -ServerList MBX1,MBX3,MBX5 |
For detailed syntax and parameter information, see New-ManagementScope.
Database filter configuration scope
Database filter-based configuration scopes are created by using the DatabaseRestrictionFilter parameter on the New-ManagementScope cmdlet. A database filter enables you to create a scope that applies only to the databases that match the filter you specify.
Important: |
---|
Role assignments associated with database scopes are applied only to users who connect to servers running Microsoft Exchange Server 2010 Service Pack 1 (SP1). If a user assigned a role assignment associated with a database scope connects to a release to manufacturing (RTM) version of Exchange 2010, the role assignment isn't applied to the user, and the user won't be granted any permissions provided by the role assignment. |
For more information about management scope filters and for a list of filterable database properties, see Understanding Management Role Scope Filters.
Use the following syntax to create a database restriction filter.
Copy Code | |
---|---|
New-ManagementScope -Name <scope name> -DatabaseRestrictionFilter <filter query> |
This example creates a scope that includes all the databases that contain the string "Executive" in the Name property of the database.
Copy Code | |
---|---|
New-ManagementScope -Name "Executive Databases" -DatabaseRestrictionFilter { Name -Like '*Executive*' } |
For detailed syntax and parameter information, see New-ManagementScope.
Database list configuration scope
Database list-based configuration scopes are created by using the DatabaseList parameter on the New-ManagementScope cmdlet. A database list scope enables you to create a scope that applies only to the databases you specify in a list.
Important: |
---|
Role assignments associated with database scopes are applied only to users who connect to servers running Microsoft Exchange Server 2010 Service Pack 1 (SP1). If a user assigned a role assignment associated with a database scope connects to a release to manufacturing (RTM) version of Exchange 2010, the role assignment isn't applied to the user, and the user won't be granted any permissions provided by the role assignment. |
Use the following syntax to create a database list scope.
Copy Code | |
---|---|
New-ManagementScope -Name <scope name> -DatabaseList <database 1>, <database 2...> |
This example creates a scope that applies only to the databases Database 1, Database 2, and Database 3.
Copy Code | |
---|---|
New-ManagementScope -Name "Primary databases" -DatabaseList "Database 1", "Database 2", "Database 3" |
For detailed syntax and parameter information, see New-ManagementScope.
Exclusive scope
Any scope that you create with the New-ManagementScope cmdlet can be designated as an exclusive scope. To create an exclusive scope, you use the same commands in one of the preceding sections to create a recipient filter-based scope, server filter-based scope, server list-based scope, database filter-based scope, or database list-based scope, and then add the Exclusive switch to the command.
Caution: |
---|
When you create exclusive management scopes, only the role assignees assigned exclusive scopes that contain objects to be modified can access those objects. Only those administrators assigned a role with the exclusive scope can access these exclusive, or protected, objects. |
This example creates an exclusive recipient filter-based scope that matches any user in the Executives department.
Copy Code | |
---|---|
New-ManagementScope "Executive Users Exclusive Scope" -RecipientRestrictionFilter { Department -Eq "Executives" } -Exclusive |
By default, when an exclusive scope is created, you're required to acknowledge that you created an exclusive scope and that you're aware of the impact that an exclusive scope has on existing role assignments that aren't exclusive. If you want to suppress the warning, you can use the Force switch. This example creates the same scope as the previous example, but without a warning.
Copy Code | |
---|---|
New-ManagementScope "Executive Users Exclusive Scope" -RecipientRestrictionFilter { Department -Eq "Executives" } -Exclusive -Force |
For detailed syntax and parameter information, see New-ManagementScope.
Step 2: Add or change a management role assignment
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.
Note: |
---|
You can't use the EMC to add or change a management role assignment. |
After you create the scope, you must add it to a new or existing management role assignment.
If you create a management scope and want to add it to a new management role assignment that you're going to create, see the following topics:
If you create a management role scope and want to add it to an existing management role assignment, see the following topics: