Topic Last Modified: 2010-11-16

Removes an existing role-based access control (RBAC) role. RBAC roles are used to specify the management tasks that users are allowed to carry out, and to determine the scope in which users will be allowed to perform these tasks.


Remove-CsAdminRole -Identity <String> [-Confirm [<SwitchParameter>]] [-Force <SwitchParameter>] [-WhatIf [<SwitchParameter>]]
Remove-CsAdminRole -Sid <String> [-Confirm [<SwitchParameter>]] [-Force <SwitchParameter>] [-WhatIf [<SwitchParameter>]]
Remove-CsAdminRole [-Confirm [<SwitchParameter>]] [-Filter <String>] [-Force <SwitchParameter>] [-WhatIf [<SwitchParameter>]]


Parameter Required Type Description




Unique identifier for the RBAC role to be deleted. The Identity for an RBAC role must be the same as the SamAccountName for the Active Directory universal security group associated with that role. For example, the Help Desk role has an Identity equal to CsHelpDesk; CsHelpDesk is also the SamAccountName of the Active Directory security group associated with that role.




Enables you to use wildcards in order to specify the custom RBAC roles to be removed. For example, to remove all the custom roles that include the string value "Redmond" in their Identity, you can use this syntax: -Filter "*Redmond*".



Security Identifier

Enables you to use a Security Identifier (SID) to specify the RBAC role to be deleted. SIDs are assigned by Lync Server 2010 at the time that the RBAC role is created; and look similar to this: S-1-5-21-1573807623-1597889489-1765977225-1145. The SID for a given RBAC role can be retrieved by using the Get-CsAdminRole cmdlet.



Switch Parameter

Suppresses the display of any non-fatal error message that might occur when running the command.



Switch Parameter

Describes what would happen if you executed the command without actually executing the command.



Switch Parameter

Enables you to bypass the confirmation prompt that appears when you try to delete an RBAC role. To bypass the prompt, include the Confirm parameter and set the parameter value to $False:

Remove-CsAdminRole RedmondAdministrators –Confirm:$False

Detailed Description

RBAC enables administrators to delegate control of specific management tasks in Microsoft Lync Server 2010. For example, instead of granting your organization’s help desk full administrator privileges you can give these employees very specific rights: the right to manage only user accounts; the right to manage only Enterprise Voice components; and the right to manage only archiving and Archiving Server. In addition, these rights can be limited in scope: someone can be given the right to manage Enterprise Voice, but only in the Redmond site; someone else can be given the right to manage users, but only if those user accounts are in the Finance organizational unit (OU).

The Lync Server 2010 implementation of RBAC is based on two key elements: Active Directory security groups and Windows PowerShell cmdlets. When you install Lync Server 2010, a number of universal security groups, such as CsAdministrator, CsArchivingAdministrator, and CsViewOnlyAdministrator, are created for you. These universal security groups have a one-to-one correspondence with RBAC roles, which means that any user who is in the CsArchivingAdministrator security group has all of the rights granted to the CsArchivingAdministrator RBAC role. In turn, the rights granted to an RBAC role are based on the cmdlets assigned to that role (cmdlets can be assigned to multiple RBAC roles). For example, suppose a role has been assigned the following cmdlets:
















The preceding list represents the only cmdlets that a user assigned a hypothetical RBAC role is allowed to run in a remote session of Windows PowerShell. If the user tries to run the Disable-CsUser cmdlet that command will fail because users assigned the hypothetical role do not have the right to run Disable-CsUser. This applies to the Lync Server Control Panel as well. For example, an Archiving Administrator cannot disable a user by using the Lync Server Control Panel because the Lync Server Control Panel abides by RBAC roles. (Any time you run a command in Lync Server Control Panel you are actually calling a Windows PowerShell cmdlet.) If you are not allowed to run Disable-CsUser, it won’t matter whether you directly run that cmdlet from Windows PowerShell or if you indirectly run the cmdlet from within the Lync Server Control Panel: the command will fail.)

Note that RBAC applies only to remote management. If you are logged on to a computer running Lync Server 2010 and you open the Lync Server Management Shell, RBAC roles will not be enforced. Instead, security is enforced primarily through the security groups RTCUniversalServerAdmins; RTCUniversalUserAdmins; and RTCUniversalReadOnlyAdmins.

When you install Lync Server 2010, Setup creates several built-in RBAC roles that cover common administrative areas such as voice administration, user management, and Response Group administration. These built-in roles cannot be modified in any way: you cannot add or remove cmdlets to the roles and you cannot delete these roles. (Any attempt to delete a built-in role will result in an error message.) However, you can use the built-in roles to create custom RBAC roles. These custom roles can then be modified by changing the administrative scopes; for example, you can limit the role to managing user accounts with a particular Active Directory OU.

Any custom roles you create can be deleted by using the Remove-CsAdminRole cmdlet. Note that Remove-CsAdminRole will not delete the Active Directory security group that corresponds to the custom role, nor will it remove any of the members who have been assigned to the group. Instead, the cmdlet simply ensures that this custom role cannot be used to delegate control of Lync Server 2010.

When you delete an RBAC role, Windows PowerShell will respond by asking if you are sure you want to delete this role; if you do not respond to this prompt (or do not respond by saying Yes) then the role will not be deleted. To avoid these confirmation prompts, use the Confirm parameter and set the parameter value to $False:

Remove-CsAdminRole RedmondAdministrators –Confirm:$False

Who can run this cmdlet: By default, members of the following groups are authorized to run the Remove-CsAdminRole cmdlet locally: RTCUniversalServerAdmins. To return a list of all the RBAC roles this cmdlet has been assigned to (including any custom RBAC roles you have created yourself) run the following command from the Windows PowerShell prompt:

Get-CsAdminRole | Where-Object {$_.Cmdlets –match "Remove-CsAdminRole"}

Input Types

Microsoft.Rtc.Management.ADConnect.Schema.ADUser object. Remove-CsAdminRole accepts pipelined input of user objects.

Return Types

Remove-CsAdminRole deletes existing instances of the Microsoft.Rtc.Management.WritableConfig.Settings.Roles.Role object.


-------------------------- Example 1 ------------------------

Copy Code
Remove-CsAdminRole -Identity "RedmondHelpDesk"

The command shown in Example 1 deletes the RBAC role with the Identity RedmondHelpDesk.

-------------------------- Example 2 ------------------------

Copy Code
Remove-CsAdminRole -Filter "*Redmond*"

The preceding command deletes all of the RBAC roles that have the string value "Redmond" somewhere in their Identity.

-------------------------- Example 3 ------------------------

Copy Code
Get-CsAdminRole | Where-Object {$_.IsStandardRole -eq $False} | Remove-CsAdminRole

In Example 3, the command deletes all of the custom RBAC roles that have been created for use in your organization. To do this, the command first calls Get-CsAdminRole without any parameters; that returns a collection of the RBAC roles. This collection is then piped to the Where-Object cmdlet, which selects only those roles where the IsStandardRole property is equal to False. By definition, any role meeting that criterion is a custom role. In turn, those custom roles are piped to, and deleted by, the Remove-CsAdminRole cmdlet.