Create a Regular or Exclusive Scope
Applies to: Exchange Server 2010
Management role scopes determine what objects are made available to a user so that the objects can be changed using the cmdlets and parameters assigned to them. By adding a management scope, you can configure management role assignments so users can administer specific servers, recipients, and other objects in your organization while being restricted from changing other objects.
Important
When you create a regular or exclusive scope, you override the write scope that's defined on the management role you're assigning. You can't override the read scope that's configured on the management role.
This procedure shows you how to create a custom management scope. If you want to create a management role assignment with a prebuilt or organizational unit (OU) management scope, see Add a Role to a User or USG.
Note
You can't use the EMC to create a custom scope or to add or change a management role assignment.
For more information about management role scopes and assignments in Microsoft Exchange Server 2010, see the following topics:
Looking for other management tasks related to scopes? Check out Managing Advanced Permissions.
Step 1: Create a custom scope
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management roles" entry in the Role Management Permissions topic.
To create a custom scope, choose one of the following types of scopes:
- Create a recipient filter scope
- Create a server filter configuration scope
- Create a server list configuration scope
- Create an exclusive scope
Create a recipient filter scope
Recipient filter-based scopes are created by using the RecipientRestrictionFilter parameter on the New-ManagementScope cmdlet. When you create a recipient filter, in addition to the recipient properties to filter, you can also specify the OU in which the filter query runs. When you specify a base OU, you further restrict the write scope of the role.
For more information about management scope filters, see Understanding Management Role Scope Filters.
Use the following syntax to create a domain restriction filter scope with a base OU.
New-ManagementScope -Name <scope name> -RecipientRestrictionFilter <filter query> [-RecipientRoot <OU>]
This example creates a scope that includes all mailboxes within the contoso.com/Sales OU.
New-ManagementScope -Name "Mailboxes in Sales OU" -RecipientRestrictionFilter { RecipientType -eq 'UserMailbox' } -RecipientRoot "contoso.com/Sales OU"
Note
You can omit the RecipientRoot parameter if you want the filter to apply to the entire implicit read scope of the management role and not just within a specific OU.
Create a server filter configuration scope
Server filter-based configuration scopes are created by using the ServerRestrictionFilter parameter on the New-ManagementScope cmdlet. A server filter enables you to create a scope that applies only to the servers that match the filter you specify.
For more information about management scope filters, see Understanding Management Role Scope Filters.
Use the following syntax to create a server restriction filter.
New-ManagementScope -Name <scope name> -ServerRestrictionFilter <filter query>
This example creates a scope that includes all the servers within the Seattle AD (Active Directory) site.
New-ManagementRole -Name "Servers in Seattle AD site" -ServerRestrictionFilter { ServerSite -eq 'Seattle' }
Create a server list configuration scope
Server list-based configuration scopes are created by using the ServerList parameter on the New-ManagementScope cmdlet. A server list scope enables you to create a scope that applies only the servers you specify in a list.
Use the following syntax to create a server list scope.
New-ManagementScope -Name <scope name> -ServerList <server 1>, <server 2...>
This example creates a scope that applies only to MBX1, MBX3, and MBX5.
New-ManagementScope -Name "Mailbox servers" -ServerList MBX1,MBX3,MBX5
Create an exclusive scope
Any scope that you create with the New-ManagementScope cmdlet can be designated as an exclusive scope. To create an exclusive scope, you use the same commands in the Create a recipient filter scope, Create a server filter configuration scope, or Create a server list configuration scope sections to create a recipient filter-based scope, server filter-based scope, or server list-based scope respectively, and then add the Exclusive switch to the command.
Warning
When you create exclusive management scopes, only the role assignees assigned exclusive scopes that contain objects to be modified can access those objects. Only those administrators assigned a role with the exclusive scope can access these exclusive, or protected, objects.
This example creates an exclusive recipient filter-based scope that matches any user in the Executives department.
New-ManagementScope "Executive Users Exclusive Scope" -RecipientRestrictionFilter { Department -Eq "Executives" } -Exclusive
When an exclusive scope is created, you're required, by default, to acknowledge that you created an exclusive scope and that you're aware of the impact than an exclusive scope has on existing non-exclusive role assignments. If you want to suppress the warning, you can use the Force switch. This example creates the same scope as the previous example, but without a warning.
New-ManagementScope "Executive Users Exclusive Scope" -RecipientRestrictionFilter { Department -Eq "Executives" } -Exclusive -Force
Step 2: Add or change a management role assignment
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.
After you create the scope, you must add it to a new or existing management role assignment.
If you create a management scope and want to add it to a new management role assignment that you are going to create, see the following topics:
If you create a management role scope and want to add it to an existing management role assignment, see the following topics: