Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

Management role group delegates are users or universal security groups (USGs) that can add or remove members from a role group or change the properties of a role group. By adding or removing role group delegates, you can control who is allowed to manage a role group. For more information about role groups in Microsoft Exchange Server 2010, see Understanding Management Role Groups.

Looking for other management tasks related to administrators and specialist users? Check out Managing Administrator and Specialist Users.

Important:
After you add a delegate to a role group, the role group can only be managed by the delegates on the role group, or by users who are assigned, either directly or indirectly, the Role Management management role.

If a user is assigned, either directly or indirectly, the Role Management role and isn't added as a delegate of the role group, the user must use the BypassSecurityGroupManagerCheck switch on the Add-RoleGroupMember, Remove-RoleGroupMember, Update-RoleGroupMember, and Set-RoleGroup cmdlets to manage a role group.

Use the Shell to add a delegate to a role group

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Note:
You can't use the EMC to add a delegate to a role group.

To change the list of delegates on a role group, you use the ManagedBy parameter on the Set-RoleGroup cmdlet. The ManagedBy parameter overwrites the entire delegate list on the role group. If you want to add delegates to the role group rather than replace the entire list of delegates, use the following steps:

  1. Store the role group in a variable using the following command.

    Copy Code
    $RoleGroup = Get-RoleGroup <role group name>
    
  2. Add the delegate to the role group stored in the variable using the following command.

    Copy Code
    $RoleGroup.ManagedBy += (Get-User <user to add>).Identity
    
    Note:
    Use the Get-Group cmdlet if you want to add a USG.
  3. Repeat Step 2 for each delegate you want to add.

  4. Apply the new list of delegates to the actual role group using the following command.

    Copy Code
    Set-RoleGroup <role group name> -ManagedBy $RoleGroup.ManagedBy
    

This example adds the user David Strome as a delegate on the Organization Management role group.

Copy Code
$RoleGroup = Get-RoleGroup "Organization Management"
$RoleGroup.ManagedBy += (Get-User "David Strome").Identity
Set-RoleGroup "Organization Management" -ManagedBy $RoleGroup.ManagedBy

For detailed syntax and parameter information, see Set-RoleGroup.

Use the Shell to remove a delegate from a role group

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Note:
You can't use the EMC to remove a delegate from a role group.

To change the list of delegates on a role group, you use the ManagedBy parameter on the Set-RoleGroup cmdlet. The ManagedBy parameter overwrites the entire delegate list on the role group. If you want to remove delegates from the role group rather than replace the entire list of delegates, use the following steps:

  1. Store the role group in a variable using the following command.

    Copy Code
    $RoleGroup = Get-RoleGroup <role group name>
    
  2. Remove the delegate from the role group stored in the variable using the following command.

    Copy Code
    $RoleGroup.ManagedBy -= (Get-User <user to remove>).Identity
    
    Note:
    Use the Get-Group cmdlet if you want to remove a USG.
  3. Repeat Step 2 for each delegate you want to remove.

  4. Apply the new list of delegates to the actual role group using the following command.

    Copy Code
    Set-RoleGroup <role group name> -ManagedBy $RoleGroup.ManagedBy
    

This example removes the user David Strome as a delegate on the Organization Management role group.

Copy Code
$RoleGroup = Get-RoleGroup "Organization Management"
$RoleGroup.ManagedBy -= (Get-User "David Strome").Identity
Set-RoleGroup "Organization Management" -ManagedBy $RoleGroup.ManagedBy

For detailed syntax and parameter information, see Set-RoleGroup.

Other Tasks