Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-03-19

You can create a management role, change the management role entries, add a scope if needed, and then assign the role to a role assignee. You should rarely need to perform this procedure. We recommend that you check whether a built-in management role can be used instead of creating a management role. For a list of built-in management roles, see Built-in Management Roles.

For more information about management roles in Microsoft Exchange Server 2010, see Understanding Management Roles.

You must use the Shell to create management roles.

Note:
This topic doesn't discuss how to create an unscoped management role. For information about how to create an unscoped management role, see Create an Unscoped Role.

Looking for other management tasks related to roles? Check out Managing Advanced Permissions.

Steps

Here are the basic steps needed to create a management role. Each of these steps includes links to more detailed procedures:

Step 1: Use the Shell to create the management role.

Step 2: Use the Shell to change the new role's management role entries.

Step 3: Use the Shell to create a custom management role scope, if required.

Step 4: Use the Shell to assign the new management role.

Note:
You can't use the EMC to create a management role.

Step 1: Create the management role

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management roles" entry in the Role Management Permissions topic.

New management roles are based on existing roles. When you create a role, an existing role and its management role entries are copied to the new role. The existing role becomes the parent to the new child role. You must always choose a role that contains all the cmdlets and parameters you need to use, and then remove the ones you don't want. Child roles can't have management role entries that don’t exist in the parent role.

Use the following syntax to create the new role.

Copy Code
New-ManagementRole -Parent <existing role to copy> -Name <name of new role>

This example copies the Mail Recipients role and its management role entries to the Seattle Mail Recipients role.

Copy Code
New-ManagementRole -Parent "Mail Recipients" -Name "Seattle Mail Recipients"

For detailed syntax and parameter information, see New-ManagementRole.

Step 2: Change the new role's management role entries

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management roles" entry in the Role Management Permissions topic.

After you create your role, you need to change the role's entries. You can remove an entire role entry, which removes access to the associated cmdlet completely. Or, you can remove parameters from a role entry to remove access to those specific parameters on the associated cmdlet.

You can't add new role entries or parameters on role entries unless they exist in the parent role. Because you just created a role from a parent role in Step 1, you can't add any additional role entries or parameters on role entries because they don't exist in the parent role.

When you change a role entry on a role, you can do one of the following:

  • Remove a single, entire role entry.

  • Remove multiple, entire role entries.

  • Remove parameters from a role entry.

To remove role entries from your new role, see Remove a Role Entry from a Role.

Step 3: Create a custom management role scope, if required

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management roles" entry in the Role Management Permissions topic.

Management role scopes determine the objects made available to a user to view or change using the role entries configured in Step 2. New management roles inherit the read and write management role scopes of their parent role. These are called implicit scopes. However, there may be cases where you want to change the write scope of the new role to match your business needs. When you create a custom scope, you override the implicit write scope of the role. The implicit read scope of the role doesn't change. For more information about management role scopes, see Understanding Management Role Scopes.

You can create a custom scope, create an exclusive scope, use a predefined scope, or scope an assignment to an organizational unit (OU). The new scope must be within the implicit read scope of the role. To use a predefined scope or to specify an organizational unit, skip to Step 4.

To add a custom scope to your new role, see Create a Regular or Exclusive Scope.

Step 4: Assign the new management role

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management roles" entry in the Role Management Permissions topic.

The final step when you create and configure a role is to assign it to a role assignee.

When you create a role assignment, you can choose to do one of the following:

  • Create the role assignment with no scope.

  • Create the role assignment with a predefined scope.

  • Create the role assignment with an OU without a domain restriction filter.

  • Create the role assignment with the custom or exclusive scope you created in Step 3.

    Note:
    You can't specify a scope when you create an assignment between a role and a management role assignment policy.

You can assign the new role to a role group, a role assignment policy, a user, or a universal security group (USG). For more information, see the following topics: