Topic Last Modified: 2010-10-01

Returns the role-based access control (RBAC) roles assigned to a user.


Get-CsAdminRoleAssignment [-Identity] <String> [-LocalStore] [-Force] [-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningAction <ActionPreference>] [-ErrorVariable <String>] [-WarningVariable <String>] [-OutVariable <String>] [-OutBuffer <Int32>]


Parameter Required Type Description




SamAccountName of the user whose RBAC roles are to be returned, You can retrieve the SamAccountName for a user by using a command similar to this:

Get-CsUser "Ken Myer" | Select-Object SamAccountName

Note that you must use the SamAccountName when specifying the user Identity. Other common values used when specifying identities, such as the Active Directory display name or the user’s SIP address, will not work with Get-CsAdminRoleAssignment.



Switch Parameter

Suppresses the display of any non-fatal error message that might occur when running the command.



Switch Parameter

Retrieves the RBAC role assignment data from the local replica of the Central Management store rather than from the Central Management store itself.

Detailed Description

Role-based access control (RBAC) enables administrators to delegate control of specific management tasks for Microsoft Lync Server 2010. For example, instead of granting your organization’s help desk full administrator privileges you can give these employees very specific rights: the right to manage only user accounts; the right to manage only Enterprise Voice components; and the right to manage only archiving and Archiving Server. In addition, these rights can be limited in scope: one user can be given the right to manage Enterprise Voice, but only in the Redmond site; while another user can be given the right to manage user accounts, but only if those accounts are in the Finance organizational unit (OU).

The Get-CsAdminRoleAssignment cmdlet provides a way for you to retrieve a list of the RBAC roles that have been assigned to a user.

Who can run this cmdlet: By default, members of the following groups are authorized to run the Get-CsAdminRoleAssignment cmdlet locally: RTCUniversalUserAdmins, RTCUniversalServerAdmins, RTCUniversalReadOnlyAdmins. To return a list of all the RBAC roles this cmdlet has been assigned to (including any custom RBAC roles you have created yourself), run the following command from the Windows PowerShell prompt:

Get-CsAdminRole | Where-Object {$_.Cmdlets –match "Get-CsAdminRoleAssignment"}

Input Types

String. Get-CsAdminRoleAssignment accepts a pipelined string value representing the SamAccountName of a user.

Return Types

Get-CsAdminRoleAssignment returns string values representing the RBAC roles held by the specified user.


-------------------------- Example 1 ------------------------

Copy Code
Get-CsAdminRoleAssignment -Identity "kenmyer"

The command shown in Example 1 returns all of the RBAC roles assigned to the user kenmyer.

-------------------------- Example 2 ------------------------

Copy Code
Get-CsUser | ForEach-Object {$_.DisplayName; Get-CsAdminRoleAssignment -Identity $_.SamAccountName}

The preceding command returns the RBAC roles for all of the users who have been enabled for Lync Server 2010. To do this, the command begins by calling Get-CsUser without any parameters; that returns a collection of all the users in the organization who have been enabled for Lync Server 2010 or Office Communications Server. This data is then piped to the ForEach-Object cmdlet, which loops through each user account in the collection and does the following: 1) echoes the user’s display name to the screen; and 2) uses the Get-CsAdminRoleAssignment cmdlet to return the user’s RBAC roles. The user account information must be piped to ForEach-Object because Get-CsAdminRoleAssignment does not directly accept pipelined data.

See Also

Other Resources