Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-03-19

If you want to grant access to a cmdlet, you need to add the associated management role entry to a management role. After you add the role entry to a role, the users assigned the role will be able to access that cmdlet. For more information about management role entries in Microsoft Exchange Server 2010, see Understanding Management Roles.

You can't add role entries to built-in roles. If you want to customize roles, you must create a new role. For more information about how to create a new role, see Create a Role.

You must use the Shell to add role entries to a role.

Note:
This topic doesn't discuss how to add unscoped management role entries to an unscoped management role. For more information about how to add unscoped role entries, see Add a Role Entry to an Unscoped Top-Level Role.

Looking for other management tasks related to roles? Check out Managing Advanced Permissions.

Prerequisites

  • A role entry that you want to add to a management role must exist in that role's immediate parent management role.

  • This topic makes use of pipelining. For more information about pipelining, see Pipelining.

What Do You Want to Do?

Add a single role entry from a parent role

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management role entries" entry in the Role Management Permissions topic.

You can add a role entry to a role exactly as it appears on the parent role by using the following syntax.

Copy Code
Add-ManagementRoleEntry <child role name>\<cmdlet>

This example adds the Set-Mailbox cmdlet to the Recipient Administrators role.

Copy Code
Add-ManagementRoleEntry "Recipient Administrators\Set-Mailbox"

This command checks the parent role, and if the role entry exists, adds it to the child role. If the role entry already exists on the child role, you can include the Overwrite parameter to overwrite the existing role entry.

For detailed syntax and parameter information, see Add-ManagementRoleEntry.

Add a single role entry from a parent role and include only specific parameters

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management role entries" entry in the Role Management Permissions topic.

If you want to add a role entry from a parent role, but you want to include only specific parameters in the role entry on the child role, use the following syntax.

Copy Code
Add-ManagementRoleEntry <child role name>\<cmdlet> -Parameters <parameter 1>, <parameter 2>, <parameter...>

This example adds the Set-Mailbox cmdlet to the Help Desk role, but includes only the DisplayName and EmailAddresses parameters in the entry on the child role.

Copy Code
Add-ManagementRoleEntry "Help Desk\Set-Mailbox" -Parameters DisplayName, EmailAddresses

This command checks the parent role, and if the role entry exists, adds it to the child role. If the role entry already exists on the child role, you can include the Overwrite parameter to overwrite the existing role entry.

For detailed syntax and parameter information, see Add-ManagementRoleEntry.

Add multiple role entries from a parent role

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management role entries" entry in the Role Management Permissions topic.

If you want to add more than one role entry to a role, you need to retrieve a list of role entries that exist on the parent role that you want to add to the child role, and then add them to the child role. To do this, you retrieve the list of role entries on a parent role by using the Get-ManagementRoleEntry cmdlet. Then you pipe the output of the Get-ManagementRoleEntry cmdlet to the Add-ManagementRoleEntry cmdlet. To retrieve multiple role entries, you need to use the wildcard character (*).

To add multiple entries from a parent role to a child role, use the following syntax.

Copy Code
Get-ManagementRoleEntry <parent role name>\*<partial cmdlet name>* | Add-ManagementRoleEntry -Role <child role name>

This example adds all the role entries that contain the string Mailbox in the cmdlet name on the Mail Recipients parent role to the Seattle Mail Recipients child role.

Copy Code
Get-ManagementRoleEntry "Mail Recipients\*Mailbox*" | Add-ManagementRoleEntry -Role "Seattle Mail Recipients"

If the role entries already exist on the child role, you can include the Overwrite parameter to overwrite the existing role entries.

For more information about retrieving a list of management role entries, see View Role Entries.

For detailed syntax and parameter information, see Get-ManagementRoleEntry and Add-ManagementRoleEntry.