Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

If you have a management role group that contains the permissions you want to grant to users, but you want to apply a different management scope, or remove or add one or two management roles without having to add all the other roles manually, you can copy the existing role group. For more information about role groups in Microsoft Exchange Server 2010, see Understanding Management Role Groups.

Looking for other management tasks related to administrators and specialist users? Check out Managing Administrator and Specialist Users.

Use the ECP to copy a role group

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Important:
You can't use the Exchange Control Panel (ECP) to copy a role group if you've used the Exchange Management Shell to configure multiple management role scopes or exclusive scopes on the role group. If you've configured multiple scopes or exclusive scopes on the role group, you must use the Shell procedures later in this topic to copy the role group. For more information about management role scopes, see Understanding Management Role Scopes.
  1. In the EMC, navigate to Toolbox in the console tree.

  2. In the work pane, double-click Role Based Access Control (RBAC) User Editor to open the user editor in the Exchange Control Panel (ECP).

  3. Provide credentials in the Domain\user name and Password fields for an account that has the permissions needed to open the user editor in the ECP. Click Sign in.

  4. Click the Administrator Roles tab.

  5. Select the role group you want to copy, and then click Copy.

  6. In the Name field, enter the name of the new role group.

  7. In the Description field, provide a short description of the purpose for the role group.

  8. Select one of the two following Write scope options:

    • A write scope from the drop-down box. In this box, you can select either the default write scope or a custom write scope.

    • Organizational unit   Select this option and provide an organizational unit (OU) if you want to scope this role group to an OU.

  9. In the Roles section, do the following:

    • To add one or more management roles to the role group, click Add and select the roles you want to add. You can select multiple roles at one time. Then click OK.

    • To remove one or more roles from the role group, select the roles you want to remove, and click Remove.

  10. In the Members section, do the following:

    • To add one or more members to the role group, click Add and select the mailboxes, role groups or universal security groups (USGs) you want to add. You can select multiple items at one time. Then click OK.

    • To remove one or more members, select the members you want to remove, and click Remove.

  11. When you're done, click Save to create the new role group.

Use the Shell to copy a role group with no scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

  1. Store the role group that you want to copy in a variable using the following syntax:

    Copy Code
    $RoleGroup = Get-RoleGroup <name of role group to copy>
    
  2. Create the new role group, and also add members to the role group and specify who can delegate the new role group to other users, using the following syntax:

    Copy Code
    New-RoleGroup <name of new role group> -Roles $RoleGroup.Roles -Members <member1, member2, member3...> -ManagedBy <user1, user2, user3...>
    

For example, the following commands copy the Organization Management role group, and name the new role group "Limited Organization Management". It adds the members Isabelle, Carter, and Lukas and can be delegated by Jenny and Katie.

Copy Code
$RoleGroup = Get-RoleGroup "Organization Management"
New-RoleGroup "Limited Organization Management" -Roles $RoleGroup.Roles -Members Isabelle, Carter, Lukas -ManagedBy Jenny, Katie

After the new role group is created, you can add or remove roles, change the scope of role assignments on the role, and more. For more information, see the Other Tasks section later in this topic.

For detailed syntax and parameter information, see Get-RoleGroup and New-RoleGroup.

Use the Shell to copy a role group with a custom scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

To copy a role group and add a custom scope to the new role group, do the following:

  1. Store the role group that you want to copy in a variable using the following syntax:

    Copy Code
    $RoleGroup = Get-RoleGroup <name of role group to copy>
    
  2. Create the new role group with a custom scope using the following syntax:

    Copy Code
    New-RoleGroup <name of new role group> -Roles $RoleGroup.Roles -CustomRecipientWriteScope <recipient scope name> -CustomConfigWriteScope <configuraiton scope name>
    

For example, the following commands copy the Organization Management role group and create a new role group called Vancouver Organization Management with the Vancouver Users recipient scope and Vancouver Servers configuration scope.

Copy Code
$RoleGroup = Get-RoleGroup "Organization Management"
New-RoleGroup "Vancouver Organization Management" -Roles $RoleGroup.Roles -CustomRecipientWriteScope "Vancouver Users" -CustomConfigWriteScope "Vancouver Servers"

You can also add members to the role group when you create it by using the Members parameter as shown in Use the Shell to copy a role group with no scope earlier in this topic. For more information about management scopes, see Understanding Management Role Scopes.

After the new role group is created, you can add or remove roles, change the scope of role assignments on the role, and perform other tasks. For more information, see the Other Tasks section later in this topic.

For detailed syntax and parameter information, see Get-RoleGroup and New-RoleGroup.

Use the Shell to copy a role group with an OU scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

  1. Store the role group that you want to copy in a variable using the following syntax:

    Copy Code
    $RoleGroup = Get-RoleGroup <name of role group to copy>
    
  2. Create the new role group with a custom scope using the following syntax:

    Copy Code
    New-RoleGroup <name of new role group> -Roles $RoleGroup.Roles -RecipientOrganizationalUnitScope <OU name>
    

For example, the following commands copy the Recipient Management role group and create a new role group called Toronto Recipient Management that allows management of only users in the Toronto Users OU.

Copy Code
$RoleGroup = Get-RoleGroup "Recipient Management"
New-RoleGroup "Toronto Recipient Management" -Roles $RoleGroup.Roles -RecipientOrganizationalUnitScope "contoso.com/Toronto Users"

You can also add members to the role group when you create it by using the Members parameter as shown in Use the Shell to copy a role group with no scope earlier in this topic. For more information about management scopes, see Understanding Management Role Scopes.

After the new role group is created, you can add or remove roles, change the scope of role assignments on the role, and more. For more information, see the Other Tasks section later in this topic.

For detailed syntax and parameter information, see Get-RoleGroup and New-RoleGroup.

Other Tasks