Add or Remove a Role Group Delegate
Applies to: Exchange Server 2010
Management role group delegates are users or universal security groups (USGs) that can add or remove members from a role group or change the properties of a role group. By adding or removing role group delegates, you can control who is allowed to manage a role group. For more information about role groups in Microsoft Exchange Server 2010, see Understanding Management Role Groups.
Looking for other management tasks related to administrators and specialist users? Check out Managing Administrator and Specialist Users.
Important
After you add a delegate to a role group, the role group can only be managed by the delegates on the role group, or by users who are assigned, either directly or indirectly, the Role Management management role.
If a user is assigned, either directly or indirectly, the Role Management role and isn't added as a delegate of the role group, the user must use the BypassSecurityGroupManagerCheck switch on the Add-RoleGroupMember, Remove-RoleGroupMember, Update-RoleGroupMember, and Set-RoleGroup cmdlets to manage a role group.
Use the Shell to add a delegate to a role group
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
Note
You can't use the EMC to add a delegate to a role group.
To change the list of delegates on a role group, you use the ManagedBy parameter on the Set-RoleGroup cmdlet. The ManagedBy parameter overwrites the entire delegate list on the role group. If you want to add delegates to the role group rather than replace the entire list of delegates, use the following steps:
Store the role group in a variable using the following command.
$RoleGroup = Get-RoleGroup <role group name>
Add the delegate to the role group stored in the variable using the following command.
$RoleGroup.ManagedBy += (Get-User <user to add>).Identity
Note
Use the Get-Group cmdlet if you want to add a USG.
Repeat Step 2 for each delegate you want to add.
Apply the new list of delegates to the actual role group using the following command.
Set-RoleGroup <role group name> -ManagedBy $RoleGroup.ManagedBy
This example adds the user David Strome as a delegate on the Organization Management role group.
$RoleGroup = Get-RoleGroup "Organization Management"
$RoleGroup.ManagedBy += (Get-User "David Strome").Identity
Set-RoleGroup "Organization Management" -ManagedBy $RoleGroup.ManagedBy
For detailed syntax and parameter information, see Set-RoleGroup.
Use the Shell to remove a delegate from a role group
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
Note
You can't use the EMC to remove a delegate from a role group.
To change the list of delegates on a role group, you use the ManagedBy parameter on the Set-RoleGroup cmdlet. The ManagedBy parameter overwrites the entire delegate list on the role group. If you want to remove delegates from the role group rather than replace the entire list of delegates, use the following steps:
Store the role group in a variable using the following command.
$RoleGroup = Get-RoleGroup <role group name>
Remove the delegate from the role group stored in the variable using the following command.
$RoleGroup.ManagedBy -= (Get-User <user to remove>).Identity
Note
Use the Get-Group cmdlet if you want to remove a USG.
Repeat Step 2 for each delegate you want to remove.
Apply the new list of delegates to the actual role group using the following command.
Set-RoleGroup <role group name> -ManagedBy $RoleGroup.ManagedBy
This example removes the user David Strome as a delegate on the Organization Management role group.
$RoleGroup = Get-RoleGroup "Organization Management"
$RoleGroup.ManagedBy -= (Get-User "David Strome").Identity
Set-RoleGroup "Organization Management" -ManagedBy $RoleGroup.ManagedBy
For detailed syntax and parameter information, see Set-RoleGroup.
Other Tasks
After you add a delegate to a role group, you may also want to: