Role group management commands for Exchange Server 2010

Role group management has changed in Exchange Server 2010. Take a look at which EMS commands you'll need to use to create role groups, add and remove members and more.

There are management role groups within Exchange Server 2010's new Role Based Access Control (RBAC) administrative...

model that grant users administrative permissions. In this tip, Exchange Server expert Brien Posey explains which Exchange Management Shell commands you'll need to create role groups. He'll also give you the commands needed to add and remove users from those groups.

Whether you're using a built-in role group or a custom one, you'll eventually have to add a role to a group in Exchange Server 2010. To do this, you need to know the name of the new role as well as the name of the group where the role will reside.

The easiest way to find the name of a role is to look it up in another role group. For example, the Organization Management group contains all possible roles. If you instruct Exchange Server 2010 to show you a list of all roles that have been assigned to the Organization Management group, you can use that list to find out the name of the role you want to assign to another group.

To view roles that have been assigned to the Organization Management role group, open the Exchange Management Shell (EMS) and enter the following command:

(Get-RoleGroup "Organization Management").Roles

Figure 1 shows a partial output from this command. There are too many roles to include all of them in a single screen capture.

The Get-RoleGroup command finds out which roles are associated with a group in Exchange 2010.
Figure 1. Use the Get-RoleGroup command to find out which roles are associated with a group in Exchange Server 2010.

You also can use the same command to determine which roles are associated with any of the role groups. To do so, just replace Organization Management with the name of the management role group you want to examine.

Creating a role group in Exchange Server 2010

There are a few things you need before you can create a new role group.

  • You must have a name to assign to the role group.
  • You need to know which users you want to assign to the group. You can always add more users later if needed.
  • You must know the names of the roles that you want to add to the management role group.

Let's create a role group that allows members to manage transport rules. We'll call this group Rules and add User1 and User2 to it. To create the group, open up the EMS and enter the following command:

New-RoleGroup –Name Rules –Roles "Transport Rules" –Members User1, User2

The default setting has group members managing the group (Figure 2). To control who manages the group, add the–ManagedBy parameter as well as the names of users who will manage it.

User1 and User2 are listed as managing the newly created group.
Figure 2. User1 and User2 are listed as managing the newly created group.

How to limit the scope of a role group in Exchange 2010

A management role scopes allows you to set the specific parameters of a management role. The easiest way to add a scope to a role group is to base it on an organizational unit (OU). To do so, add the –RecipientOrganizationalUnitScope parameter to the New-RoleGroup command listed above followed by the name of the OU.

For example, if you wanted to create the role group that we just used but limit its scope to an OU named Branch Office, use the following command:

New-RoleGroup –Name Rules –Roles "Transport Rules" –Members User1, User2 –RecipientOrganizationalUnitScope "Branch Office"

You don't have to base scopes on existing OUs; Exchange Server 2010 allows you to create custom scopes.

Adding members to a role group in Exchange 2010

Now let's build on the previous Rules role group we just created and add User3 to the group (Figure 3). To do so, use the following command:

Add-RoleGroupMember "Rules" –Member User3

Add another user to your role group with the Add-RoleGroupMember command
Figure 3. Use the Add-RoleGroupMember command to add a third user to the new role group.

Because Exchange Server 2010 doesn't confirm that User3 was added, display the group members to confirm that the operation was successful. Use the Get-RoleGroupMember command and then enter the name of the role group to check this (Figure 4).

The Get-RoleGroupMember command confirms group membership.
Figure 4. Use the Get-RoleGroupMember command to confirm group membership.

If you need to add multiple members to a group, you can use pipelining. For example, this command adds everyone in the IT department to your group:

$Mailboxes = Get-User –Filter { Department – EQ "IT"}
$Mailboxes | ForEach { Add-RoleGroupMember "Rules" –Member $_.Name}

The command you need to remove a user from a role group -- Remove-RoleGroupMember -- is almost identical to the one you use to add a user. To remove User3 from the Rules role group, for example, use the following command:

Remove-RoleGroupMember "Rules" –Member User3

About the author: Brien M. Posey, MCSE, is a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at

Do you have comments on this tip?  Let us know.

This was first published in August 2010

Dig Deeper on Microsoft Exchange Server Permissions



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: