Applies to: Exchange Server 2013
Topic Last Modified: 2012-10-09
You can use a linked management role group to enable members of a universal security group (USG) in a foreign Active Directory forest to manage a Microsoft Exchange Server 2013 organization in a resource Active Directory forest. By associating a USG in a foreign forest with a linked role group, the members of that USG are granted the permissions provided by the management roles assigned to the linked role group. For more information about linked role groups, see Understanding Management Role Groups.
To create and configure linked role groups, you need to use the New-RoleGroup and Set-RoleGroup cmdlets. For detailed syntax and parameter information, see the following topics:
For additional management tasks related to role groups, see Permissions.
What do you need to know before you begin?
- Estimated time to complete each procedure: 5 to 10 minutes
- You need to be assigned permissions before you can perform this
procedure or procedures. To see what permissions you need, see the
"Role groups" entry in the Role Management
Permissions topic.
- You can’t use the Exchange Administration Center (EAC) to
create or configure linked role groups. You must use the Exchange
Management Shell.
- At a minimum, configuring a linked role group requires that a
one-way trust is established between the resource Active Directory
forest in which the linked role group will reside, and the foreign
Active Directory forest where the users or USGs reside. The
resource forest must trust the foreign forest.
- You must have the following information about the foreign
Active Directory forest:
- Credentials You must have a user name
and password that can access the foreign Active Directory forest.
This information is used with the LinkedCredential parameter
on the New-RoleGroup and Set-RoleGroup cmdlets.
- Domain controller You must have the
fully qualified domain name (FQDN) of an Active Directory domain
controller in the foreign Active Directory forest. This information
is used with the LinkedDomainController parameter on the
New-RoleGroup and Set-RoleGroup cmdlets.
- Foreign USG You must have the full name
of a USG in the foreign Active Directory forest that contains the
members you want to associate with the linked role group. This
information is used with the LinkedForeignGroup parameter on
the New-RoleGroup and Set-RoleGroup cmdlet.
- Credentials You must have a user name
and password that can access the foreign Active Directory forest.
This information is used with the LinkedCredential parameter
on the New-RoleGroup and Set-RoleGroup cmdlets.
- For information about keyboard shortcuts that may apply to the
procedures in this topic, see Keyboard Shortcuts in
the Exchange Admin Center.
Tip: |
---|
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection |
What do you want to do?
Create a linked role group
Use the Shell to create a linked role group with no scope
To create a linked role group and assign management roles to the linked role group, do the following:
- Store the foreign Active Directory forest credentials in a
variable.
Copy Code $ForeignCredential = Get-Credential
- Create the linked role group using the following syntax.
Copy Code New-RoleGroup <role group name> -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign Active Directory domain controller> -LinkedCredential $ForeignCredential -Roles <role1, role2, role3...>
- Add or remove members to or from the foreign USG using Active
Directory Users and Computers on a computer in the foreign Active
Directory forest.
This example does the following:
- Retrieves the credentials for the users.contoso.com foreign
Active Directory forest. These credentials are used to connect to
the DC01.users.contoso.com domain controller in the foreign
forest.
- Creates a linked role group called Compliance Role Group in the
resource forest where Exchange 2013 is installed.
- Links the new role group to the Compliance Administrators USG
in the users.contoso.com foreign Active Directory forest.
- Assigns the Transport Rules and Journaling management roles to
the new linked role group.
Copy Code | |
---|---|
$ForeignCredential = Get-Credential New-RoleGroup "Compliance Role Group" -LinkedForeignGroup "Compliance Administrators" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential -Roles "Transport Rules", "Journaling" |
Use the Shell to create a linked role group with a custom management scope
You can create linked role groups with custom recipient management scopes, custom configuration management scopes, or both. To create a linked role group and assign management roles with custom scopes to it, do the following:
- Store the foreign Active Directory forest credentials in a
variable.
Copy Code $ForeignCredential = Get-Credential
- Create the linked role group using the following syntax.
Copy Code New-RoleGroup <role group name> -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign Active Directory domain controller> -CustomConfigWriteScope <name of configuration scope> -CustomRecipientWriteScope <name of recipient scope> -LinkedCredential $ForeignCredential -Roles <role1, role2, role3...>
- Add or remove members to or from the foreign USG using Active
Directory Users and Computers on a computer in the foreign Active
Directory forest.
This example does the following:
- Retrieves the credentials for the users.contoso.com foreign
Active Directory forest. These credentials are used to connect to
the DC01.users.contoso.com domain controller in the foreign
forest.
- Creates a linked role group called Seattle Compliance Role
Group in the resource forest where Exchange 2013 is installed.
- Links the new role group to the Seattle Compliance
Administrators USG in the users.contoso.com foreign Active
Directory forest.
- Assigns the Transport Rules and Journaling management roles to
the new linked role group with the Seattle Recipients custom
recipient scope.
Copy Code | |
---|---|
$ForeignCredential = Get-Credential New-RoleGroup "Seattle Compliance Role Group" -LinkedForeignGroup "Seattle Compliance Administrators" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential -CustomRecipientWriteScope "Seattle Recipients" -Roles "Transport Rules", "Journaling" |
For more information about management scopes, see Understanding Management Role Scopes.
Use the Shell to create a linked role group with an OU scope
You can create linked role groups that use an OU recipient scope. To create a linked role group and assign management roles to it with an OU scope, do the following:
- Store the foreign Active Directory forest credentials in a
variable.
Copy Code $ForeignCredential = Get-Credential
- Create the linked role group using the following syntax.
Copy Code New-RoleGroup <role group name> -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign Active Directory domain controller> -LinkedCredential $ForeignCredential -RecipientOrganizationalUnitScope <OU name> -Roles <role1, role2, role3...>
- Add or remove members to or from the foreign USG using Active
Directory Users and Computers on a computer in the foreign Active
Directory forest.
This example does the following:
- Retrieves the credentials for the users.contoso.com foreign
Active Directory forest. These credentials are used to connect to
the DC01.users.contoso.com domain controller in the foreign
forest.
- Creates a linked role group called Executives Compliance Role
Group in the resource forest where Exchange 2013 is installed.
- Links the new role group to the Executives Compliance
Administrators USG in the users.contoso.com foreign Active
Directory forest.
- Assigns the Transport Rules and Journaling management roles to
the new linked role group with the OU recipient scope Executives
OU.
Copy Code | |
---|---|
$ForeignCredential = Get-Credential New-RoleGroup "Executives Compliance Role Group" -LinkedForeignGroup "Executives Compliance Administrators" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential -RecipientOrganizationalUnitScope "Executives OU" -Roles "Transport Rules", "Journaling" |
For more information about management scopes, see Understanding Management Role Scopes.
Change the foreign USG on a linked role group
Use the Shell to change the foreign USG on a linked role group
To change the foreign USG associated with a linked role group, do the following:
- Store the foreign Active Directory forest credentials in a
variable.
Copy Code $ForeignCredential = Get-Credential
- Change the foreign USG on the existing linked role group using
the following syntax.
Copy Code Set-RoleGroup <role group name> -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign Active Directory domain controller> -LinkedCredential $ForeignCredential
This example does the following:
- Retrieves the credentials for the users.contoso.com foreign
Active Directory forest. These credentials are used to connect to
the DC01.users.contoso.com domain controller in the foreign
forest.
- Changes the foreign USG on the Compliance Role Group role group
to Regulatory Compliance Officers.
Copy Code | |
---|---|
$ForeignCredential = Get-Credential Set-RoleGroup "Compliance Role Group" -LinkedForeignGroup "Regulatory Compliance Officers" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential |