Remove a Role from an Assignment Policy

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

If you don't want end users to have permissions to manage certain features of their mailbox or distribution group, you can remove the management role that grants the permissions from the management role assignment policy the user is assigned. If other users are assigned the same assignment policy, they also lose the ability to manage that feature. For more information about assignment policies in Microsoft Exchange Server 2010, see Understanding Management Role Assignment Policies.

Looking for other management tasks related to end users? Check out Managing End Users.

Use the ECP to remove a role from an assignment policy

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Assignment policies" entry in the Role Management Permissions topic.

In the Exchange Management Console (EMC), navigate to Toolbox in the console tree.
In the work pane, double-click Role Based Access Control (RBAC) User Editor to open the user editor in the Exchange Control Panel (ECP).
Provide credentials in the Domain\user name and Password fields for an account that has the permissions needed to open the user editor in the ECP. Click Sign in.
Click the User Roles tab.
Select the assignment policy you want to remove one or more roles from, and then click Details.
Clear the check box next to the role or roles you want to remove from the assignment policy. If you clear the check box for a role that has child roles, the check boxes for the child roles are also cleared.
Click Save to save the changes to the assignment policy.

Use the Shell to remove a role from an assignment policy

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Assignment policies" entry in the Role Management Permissions topic.

You can remove roles from assignment policies by retrieving the associated management role assignment using the Get-ManagementRoleAssignment cmdlet and then piping the role assignment returned to the Remove-ManagementRoleAssignment cmdlet.

For more information about regular and delegating role assignments, see Understanding Management Role Assignments.

This procedure uses pipelining. For more information about pipelining, see Pipelining.

To remove a role from an assignment policy, use the following syntax.

	Copy Code
Get-ManagementRoleAssignment -RoleAssignee <assignment policy name> -Role <role name> \| Remove-ManagementRoleAssignment

This example removes the MyVoicemail management role, which enables users to manage their voice mail options, from the Seattle Users assignment policy.

	Copy Code
Get-ManagementRoleAssignment -RoleAssignee "Seattle Users" -Role MyVoicemail \| Remove-ManagementRoleAssignment

For detailed syntax and parameter information, see Remove-ManagementRoleAssignment.

Other Tasks

After you remove a role from an assignment policy, you may also want to: