Delegate Role Assignments
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Management role delegation enables role assignees to assign a specified management role to other management role groups, management role assignment policies, users, or universal security groups (USG). By default, only members of the Organization Management management role group can delegate role assignments. When a new installation of Microsoft Exchange Server 2010 is deployed, only the user account that installed Exchange 2010 is a member of the Organization Management role group.
If you assign a delegating role assignment to a role group, any member of the role group can delegate the associated management role to other role assignees.
Delegating role assignments doesn't give the role assignee the permissions granted by the role, only the ability to assign the role to others. If you want to also give the permissions granted by the role to the role assignee, you must also create a regular role assignment. To create a regular role assignment, see the following topics:
Add a Role to a Role Group
Add a Role to an Assignment Policy
Add a Role to a User or USG
This topic discusses management role assignment delegation. If you want to delegate who can add members to or remove members from role groups, which is the recommended method of delegation, see Add or Remove a Role Group Delegate.
For more information about regular role assignments and delegating management role assignments, see Understanding Management Role Assignments.
Looking for other management tasks related to managing permissions? Check out Managing Advanced Permissions.
Use the Shell to delegate a management role
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management roles" entry in the Role Management Permissions topic.
You can't use the EMC to delegate a role assignment.
You can create delegating role assignments using the same predefined scopes, recipient filter or server-filter-based scopes, server list-based scopes, and organizational unit (OU) scopes that can be used to create regular or exclusive scopes. The only difference between creating a regular role assignment and a delegating role assignment is the addition of the Delegating switch to the command. For more information about how to create role assignments, see the following topics:
You can't create a delegating role assignment to a management role assignment policy.
This example creates a delegating role assignment to enable members of the Senior Admins role group to assign the Mail Recipients role to any role assignee in the Exchange organization.
New-ManagementRoleAssignment -Role "Mail Recipients" -SecurityGroup "Senior Admins" -Name "Mail Recipients_Senior Admin - Delegate" -Delegating
This example creates a delegating role assignment to enable members of the Senior Admins role group to assign the Mail Recipients role only to users in the Sales/Users OU in the contoso.com domain.
New-ManagementRoleAssignment -Role "Mail Recipients" -SecurityGroup "Senior Admins" -Name "Mail Recipients_Senior Admins - Delegate" -RecipientOrganizationalUnitScope contoso.com/sales/users -Delegating
For detailed syntax and parameter information, see New-ManagementRoleAssignment.
© 2010 Microsoft Corporation. All rights reserved.