Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-11-19

Use the Set-RoleGroup cmdlet to modify who can add or remove members to or from management role groups or change the name of the role group.

Syntax

Set-RoleGroup -Identity <RoleGroupIdParameter> [-BypassSecurityGroupManagerCheck <SwitchParameter>] [-Confirm [<SwitchParameter>]] [-Description <String>] [-DisplayName <String>] [-DomainController <Fqdn>] [-Force <SwitchParameter>] [-ManagedBy <MultiValuedProperty>] [-Name <String>] [-WhatIf [<SwitchParameter>]]
Set-RoleGroup -Identity <RoleGroupIdParameter> -LinkedForeignGroupSid <SecurityIdentifier> [-BypassSecurityGroupManagerCheck <SwitchParameter>] [-Confirm [<SwitchParameter>]] [-Description <String>] [-DisplayName <String>] [-DomainController <Fqdn>] [-Force <SwitchParameter>] [-ManagedBy <MultiValuedProperty>] [-Name <String>] [-WhatIf [<SwitchParameter>]]
Set-RoleGroup -Identity <RoleGroupIdParameter> -LinkedDomainController <String> -LinkedForeignGroup <UniversalSecurityGroupIdParameter> [-BypassSecurityGroupManagerCheck <SwitchParameter>] [-Confirm [<SwitchParameter>]] [-Description <String>] [-DisplayName <String>] [-DomainController <Fqdn>] [-Force <SwitchParameter>] [-LinkedCredential <PSCredential>] [-ManagedBy <MultiValuedProperty>] [-Name <String>] [-WhatIf [<SwitchParameter>]]

Detailed Description

If you want to add or remove members to or from an existing role group, use the Add-RoleGroupMember and Remove-RoleGroupMember cmdlets. If you want to add or remove management role assignments to or from a role group, use the New-ManagementRoleAssignment and Remove-ManagementRoleAssignment cmdlets. If you want to add or remove members to or from a linked role group, you must add or remove the members to or from the foreign universal security group (USG) in the foreign forest. To find the foreign USG, use the Get-RoleGroup cmdlet.

If the ManagedBy property is populated with role group managers, the user configuring a role group must be a role group manager. Alternately, if the user is a member of the Organization Management role group or is directly or indirectly assigned the Role Management role, the BypassSecurityGroupManagerCheck switch can be used to override the security group management check.

For more information about role groups, see Understanding Management Role Groups.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Parameters

Parameter Required Type Description

Identity

Required

Microsoft.Exchange.Configuration.Tasks.RoleGroupIdParameter

The Identity parameter specifies the name of the role group to modify. If the name contains spaces, enclose the name in quotation marks (").

LinkedDomainController

Required

System.String

The LinkedDomainController parameter specifies the fully qualified domain name (FQDN) or IP address of the domain controller in the forest where the foreign USG resides. The domain controller you specify is used to get security information for the foreign USG specified by the LinkedForeignGroup parameter.

You can only use the LinkedDomainController parameter with a linked role group.

LinkedForeignGroup

Required

Microsoft.Exchange.Configuration.Tasks.UniversalSecurityGroupIdParameter

The LinkedForeignGroup parameter specifies the name of the foreign USG you want to link this role group to. If the foreign USG name contains spaces, enclose the name in quotation marks (").

You can only use the LinkedForeignGroup parameter to change the foreign USG linked to an existing linked role group. You can't change a standard role group to a linked role group by using the Set-RoleGroup cmdlet. You must create a new role group using the New-RoleGroup cmdlet.

If you use the LinkedForeignGroup parameter, you must specify a domain controller in the LinkedDomainController parameter.

LinkedForeignGroupSid

Required

System.Security.Principal.SecurityIdentifier

This parameter is reserved for internal Microsoft use.

BypassSecurityGroupManagerCheck

Optional

System.Management.Automation.SwitchParameter

The BypassSecurityGroupManagerCheck switch enables a user who hasn't been added to the ManagedBy property to modify a role group. The user must be a member of the Organization Management role group or be assigned, either directly or indirectly, the Role Management role.

Confirm

Optional

System.Management.Automation.SwitchParameter

The Confirm switch causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm switch.

Description

Optional

System.String

The Description parameter specifies the description that's displayed when the role group is viewed using the Get-RoleGroup cmdlet. Enclose the description in quotation marks (").

DisplayName

Optional

System.String

The DisplayName parameter specifies the friendly name of the role group. If the name contains spaces, enclose the name in quotation marks ("). This parameter can have a maximum length of 256 characters.

DomainController

Optional

Microsoft.Exchange.Data.Fqdn

The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that writes this configuration change to Active Directory.

Force

Optional

System.Management.Automation.SwitchParameter

This parameter is reserved for internal Microsoft use.

LinkedCredential

Optional

System.Management.Automation.PSCredential

The LinkedCredential parameter specifies credentials to use to access the domain controller specified by the LinkedDomainController parameter.

You can only use the LinkedCredential parameter with a linked role group.

This parameter requires the creation and passing of a credential object. This credential object is created by using the Get-Credential cmdlet. For more information, see Get-Credential.

ManagedBy

Optional

Microsoft.Exchange.Data.MultiValuedProperty

The ManagedBy parameter specifies the users or USG who can modify the configuration of a role group or add and remove members to or from a role group. The list you specify with this parameter overwrites the existing ManagedBy list. To add or remove individual role group managers, and for more information about modifying multivalued properties, see Modifying Multivalued Properties.

You can use the name, distinguished name (DN), or primary SMTP address of the user or USG you want to add. If the name of the user or USG contains spaces, enclose the name in quotation marks (").

If you want to add more than one user or USG, separate them using commas.

Name

Optional

System.String

The Name parameter specifies the name of the role group. The name can contain up to 64 characters. If the name contains spaces, enclose the name in quotation marks (").

WhatIf

Optional

System.Management.Automation.SwitchParameter

The WhatIf switch instructs the command to simulate the actions that it would take on the object. By using the WhatIf switch, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf switch.

Input Types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

Return Types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.

Examples

EXAMPLE 1

This example sets the role group managers list to David and Christine on the London Recipient Administrators role group.

Copy Code
Set-RoleGroup "London Recipient Administrators" -ManagedBy "David", "Christine"

EXAMPLE 2

This example sets the role group managers list to the Seattle Role Administrators USG on the Seattle Administrators role group. Because the user running the command wasn't added to the ManagedBy property of the role group, the BypassSecurityGroupManagerCheck switch must be used. The user is assigned the Role Management role, which enables the user to bypass the security group manager check.

Copy Code
Set-RoleGroup "Seattle Administrators" -ManagedBy "Seattle Role Administrators" -BypassSecurityGroupManagerCheck

EXAMPLE 3

This example modifies the linked foreign USG on the existing linked role group ContosoUsers: Toronto Recipient Admins. The foreign USG that should be linked to is Toronto Tier 2 Administrators.

First, the credentials for the user forest need to be stored in a variable so they can be used with the Set-RoleGroup cmdlet. The following command retrieves the credentials using the Get-Credential cmdlet and stores them in the $Credentials variable.

Copy Code
$Credentials = Get-Credential

Then, the foreign USG on the ContosoUsers: Toronto Recipient Admins linked role group is modified using the following command.

Copy Code
Set-RoleGroup "ContosoUsers: Toronto Recipient Admins" -LinkedDomainController dc02.contosousers.contoso.com -LinkedCredential $Credentials -LinkedForeignGroup "Toronto Tier 2 Administrators"