Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-03-19

You can change the universal security group (USG), which is located in a foreign Active Directory forest associated with a linked management role group. This can be useful if the original foreign USG is being removed, and you need to transition to a new USG. For more information about linked role groups, see Understanding Management Role Groups.

Looking for other management tasks related to administrators and specialist users? Check out Managing Administrator and Specialist Users.

Prerequisites

  • Credentials   You must have a user name and password that can access the foreign Active Directory forest. This information is used with the LinkedCredential parameter on the Set-RoleGroup cmdlet.

  • Domain controller   You must have the fully qualified domain name (FQDN) of an Active Directory domain controller in the foreign Active Directory forest. This information is used with the LinkedDomainController parameter on the Set-RoleGroup cmdlet.

  • Foreign USG   You must have the full name of a USG in the foreign Active Directory forest that contains the members you want to associate with the linked role group. This information is used with the LinkedForeignGroup parameter on the Set-RoleGroup cmdlet.

Use the Shell to change the foreign USG on a linked role group

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Note:
You can't use the EMC to change the foreign USG on a linked role group.

To change the foreign USG associated with a linked role group, do the following:

  1. Store the foreign Active Directory forest credentials in a variable.

    Copy Code
    $ForeignCredential = Get-Credential
    
  2. Create the new linked role group using the following syntax.

    Copy Code
    Set-RoleGroup <role group name> -LinkedForeignGroup <name of foreign USG> -LinkedDomainController <FQDN of foreign Active Directory domain controller> -LinkedCredential $ForeignCredential 
    

This example does the following:

  • Retrieves the credentials for the users.contoso.com foreign Active Directory forest. These credentials are used to connect to the DC01.users.contoso.com domain controller in the foreign forest.

  • Changes the foreign USG on the Compliance Role Group role group to Regulatory Compliance Officers.

Copy Code
$ForeignCredential = Get-Credential
Set-RoleGroup "Compliance Role Group" -LinkedForeignGroup "Regulatory Compliance Officers" -LinkedDomainController DC01.users.contoso.com -LinkedCredential $ForeignCredential

For detailed syntax and parameter information, see Set-RoleGroup.

Other Tasks

After you change the foreign USG on a linked role group, you may also want to: