Share via


View Role Assignments

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Management role assignments assign a management role to a role assignee. For more information about management role assignments in Microsoft Exchange Server 2010, see Understanding Management Role Assignments.

You must use the Shell to view role assignments.

Looking for other management tasks related to roles? Check out Managing Advanced Permissions.

Prerequisites

This topic makes use of pipelining and the Format-List cmdlet. For more information about these concepts, see the following topics:

Note

You can't use the EMC to view role assignments.

View a list of all role assignments

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

You can view a list of all role assignments configured in your organization by running the Get-ManagementRoleAssignment cmdlet. If you want to retrieve a list of role assignments that match a partial string that you specify, use wildcard characters (*). This example retrieves a list of all the role assignments that start with the string "Tier 1".

Get-ManagementRoleAssignment "Tier 1*"

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

View the details of a specific role assignment

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

You can view the details of a role assignment by piping the results of the Get-ManagementRoleAssignment cmdlet to the Format-List cmdlet. Use the following syntax.

Get-ManagementRoleAssignment <assignment name> | Format-List

This example retrieves the details of the Help Desk Assignment role assignment.

Get-ManagementRoleAssignment "Help Desk Assignment" | Format-List

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

View the list of role assignments assigned to a specific role assignee

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

To view a list of role assignments associated with a management role group, role, or role assignment policy, or associated with a user or universal security group (USG), use the following syntax.

Get-ManagementRoleAssignment -RoleAssignee <role assignee name>

This example retrieves all of the role assignments associated with the Server Management role group.

Get-ManagementRoleAssignment -RoleAssignee "Server Management"

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

View the role assignments associated with a specific role

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

Each role can have multiple role assignments. You can use the Get-ManagementRoleAssigment cmdlet to view a list of role assignments associated with a specified role.

To view a list of role assignments associated with a specified role, use the following syntax.

Get-ManagementRoleAssignment -Role <role name>

This example retrieves all of the role assignments associated with the Mail Recipients role.

Get-ManagementRoleAssignment -Role "Mail Recipients"

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

View a list of role assignments that use a specific predefined scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

To view a list of role assignments that use a specific predefined scope, use the following syntax.

Get-ManagementRoleAssignment -RecipientWriteScope < MyGAL | MyDistributionGroups | Organization | Self | CustomRecipientScope | ExecutiveRecipientScope >

This example retrieves all of the role assignments that use the Organization predefined scope.

Get-ManagementRoleAssignment -RecipientWriteScope Organization

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

View a list of role assignments that have been scoped to a specific OU

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

To view a list of role assignments that have been scoped to a specific organizational unit (OU), use the following syntax.

Get-ManagementRoleAssignment -RecipientOrganizationalUnitScope <OU>

This example retrieves all of the role assignments that have been scoped to the North America\Engineering\Users OU in the contoso.com domain.

Get-ManagementRoleAssignment -RecipientOrganizationalUnitScope "contoso.com/North America/Engineering/Users"

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

View a list of assignments that use a specific custom scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

To view a list of role assignments that use a specific custom scope, you need to first determine whether the scope is a recipient scope, configuration scope, exclusive recipient scope, or exclusive configuration scope. Each type of scope uses a different parameter on the Get-ManagementRoleAssignment cmdlet. The following lists each scope and its associated parameter:

  • Recipient scopes   CustomRecipientWriteScope

  • Configuration scopes   CustomConfigWriteScope

  • Exclusive recipient scopes   ExclusiveRecipientWriteScope

  • Exclusive configuration scopes   ExclusiveConfigWriteScope

The syntax for each parameter is the same. Specify the name of the scope with the parameter that matches the type of scope it is.

This example retrieves all of the role assignments that use the Vancouver Recipients recipient scope.

Get-ManagementRoleAssignment -CustomRecipientWriteScope "Vancouver Recipients"

This example retrieves all of the role assignments that use the Seattle AD Site exclusive configuration scope.

Get-ManagementRoleAssignment -ExclusiveConfigWriteScope "Seattle AD Site"

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

View a list of exclusive or regular scopes

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

To view a list of exclusive or regular role assignments, use the following syntax.

Get-ManagementRoleAssignment -Exclusive < $True | $False >

For example, to view a list of exclusive scopes, run the following command:

Get-ManagementRoleAssignment -Exclusive $True

This example retrieves a list of regular scopes without any exclusive scopes.

Get-ManagementRoleAssignment -Exclusive $False

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

View who can modify a specific recipient or server

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

To view a list of role assignments that can modify a specific recipient or server, use the WritableRecipient and WritableServer parameters. Specify the name of the recipient with the WritableRecipient parameter, and the name of the server with the WritableServer parameter.

This example retrieves a list of role assignments that can modify the recipient Brian.

Get-ManagementRoleAssignment -WritableRecipient "Brian"

You can combine the WritableRecipient and WritableServer parameters with other parameters, such as the RoleAssignee parameter and the GetEffectiveUsers switch to refine your query and expand any role groups or USGs. This example retrieves all of the users who can modify the server EX02 and who are assigned the Server Management role group.

Get-ManagementRoleAssignment -WritableServer EX02 -RoleAssignee "Server Management" -GetEffectiveUsers

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

View the users who receive permissions from an assignment via a role group or USG

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

To view a list of users that receive permissions from a role assignment, use the following syntax.

Get-ManagementRoleAssignment <assignment name> -GetEffectiveUsers

This example retrieves a list of users in the Help Desk Assignment role assigment.

Get-ManagementRoleAssignment "Help Desk Assignment" -GetEffectiveUsers

You can also combine the GetEffectiveUsers switch with several other parameters on the Get-ManagementRoleAssignment cmdlet to expand the role groups and USGs that the role assignments are assigned to. For an example of how the GetEffectiveUsers switch is used with other parameters, see "View who can modify a specific recipient or server" earlier in this topic.

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

View a list of role assignments that are enabled or disabled

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

To view a list of role assignments that are enabled or disabled, use the following syntax.

Get-ManagementRoleAssignment -Enabled < $True | $False >

This example retrieves a list of role assignments that are disabled.

Get-ManagementRoleAssignment -Enabled $False

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

 © 2010 Microsoft Corporation. All rights reserved.