groups or Management Role groups are the groups that we see in the Active
Directory "Microsoft Exchange Security groups" OU.
To see a
list of Management Roles:
lists all management roles, which are collections of commands. For example:
look at Databases: To look at what commands makes up the Databases Managemet
role we can run:
custom role from an existing role by using the following:
New-ManagementRole -name "Distribution G
Admins" -Parent "Distribution Groups"
command creates a new Management role called "Distribution G Admins"
and populates it with the ability to use all the powershell commands that the
a management role entry, we can do this to strip the existing temple down to
what access we want to give. You would use:
Remove-ManagementRoleEntry "Distribution G
some reason this group needs a permission from another Management role we first
need to create a Role Group, which contains both ManagementRoleEntry's that we
we created this Management role from the Distribution Groups Role, we cant
immediately add the role entries from other roles.
create a New Role Group which in this example will contain Distribution group
and Transport Rule group role entries:
New-RoleGroup "Distros and Transports"
-Roles "Distribution G Admins","Transport Rules" -members
creates a group visible in AD with the other Role Groups
a role group
Remove-RoleGroup "Distros and Transports"
want to Create a role group, and scope it so that the users in that group can
only administer users/mailboxes in a specific OU (in this example this will be
the "Liverpool" OU) we can use the following command:
New-RoleGroup "Liverpool Distros and
Transports" -Roles "Distribution G Admins","Transport
which Management Roles make up a management group and also to see it's scope
you need to query using this command:
Get-ManagementRoleAssignmet | Select Name
roles you're looking for:
"MANAGEMENTROLENAME" | fl
shows the Scope.