管理 Exchange Online 中的角色群組Manage role groups in Exchange Online

角色群組是一種特殊的通用安全性群組 (USG), 用於 Exchange Online 中的角色型存取控制 (RBAC) 許可權模型。A role group is a special kind of universal security group (USG) that's used in the Role Based Access Control (RBAC) permissions model in Exchange Online. 管理角色群組簡化使用者在 Exchange Online 中的許可權指派和維護。Management role groups simplify the assignment and maintenance of permissions to users in Exchange Online. 角色群組的成員會被指派一組相同的角色, 並將使用者新增至角色群組或從中移除許可權, 以新增或移除使用者的許可權。The members of the role group are assigned the same set of roles, and you add and remove permissions from users by adding them to or removing them from the role group. 如需有關 Exchange Online 中角色群組的詳細資訊, 請參閱Exchange online 中的許可權For more information about role groups in Exchange Online, see Permissions in Exchange Online.

開始之前有哪些須知?What do you need to know before you begin?

提示

有問題嗎?Having problems? 在 Exchange 論壇中尋求協助。Ask for help in the Exchange forums. 請造訪論壇,網址:Exchange OnlineExchange Online ProtectionVisit the forums at: Exchange Online, or Exchange Online Protection.

檢視角色群組View role groups

使用 EAC 來查看角色群組Use the EAC to view role groups

  1. 在 EAC 中, 移至 [許可權 > ] [管理員角色]。In the EAC, go to Permissions > Admin Roles. 您組織中的所有角色群組都會列在這裡。All of the role groups in your organization are listed here.

  2. 選取角色群組。Select a role group. [詳細資料] 窗格會顯示角色群組的名稱描述指派角色成員受管理者寫入範圍The Details pane shows the Name, Description, Assigned roles, Members, Managed by, and Write scope of the role group. 您也可以按一下 [編輯 編輯圖示], 查看此資訊。You can also see this information by clicking Edit Edit icon.

使用 Exchange Online PowerShell 來查看角色群組Use Exchange Online PowerShell to view role groups

若要查看角色群組, 請使用下列語法:To view a role group, use the following syntax:

Get-RoleGroup [-Identity "<Role Group Name>"] [-Filter <Filter>]

此範例會傳回所有角色群組的摘要清單。This example returns a summary list of all role groups.

Get-RoleGroup

此範例會傳回名為「收件者管理員」的角色群組的詳細資訊。This example returns detailed information for the role group named Recipient Administrators.

Get-RoleGroup -Identity "Recipient Administrators" | Format-List

此範例會傳回使用者 Julia 為其成員的所有角色群組。This example returns all role groups where the user Julia is a member. 您必須使用 Julia 的 DistinguishedName (DN) 值, 您可以執行下列命令來尋找: Get-User -Identity Julia | Format-List DistinguishedNameYou need to use the DistinguishedName (DN) value for Julia, which you can find by running the command: Get-User -Identity Julia | Format-List DistinguishedName.

Get-RoleGroup -Filter {Members -eq 'CN=Julia,OU=contoso.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR001,DC=PROD,DC=OUTLOOK,DC=COM'}

如需詳細的語法及參數資訊, 請參閱new-rolegroupFor detailed syntax and parameter information, see Get-RoleGroup.

建立角色群組Create role groups

當您建立新的角色群組時, 您必須自行設定所有設定 (在建立群組或之後)。When you create a new role group, you need to configure all of the settings yourself (during the creation of the group or after). 若要開始使用現有角色群組的設定並加以修改, 請參閱複製現有的角色群組To start with the configuration of an existing role group and modify it, see Copy existing role groups.

使用 EAC 建立角色群組Use the EAC to create role groups

  1. 在 EAC 中, 移至 [許可權 > ] [管理員角色], 然後](../media/ITPro_EAC_AddIcon.png)按一下 [新增 ![] 圖示。In the EAC, go to Permissions > Admin Roles and then click Add Add icon.

  2. 在出現的 [新增角色群組] 視窗中, 設定下列設定:In the New role group window that appears, configure the following settings:

    • 名稱: 輸入角色群組的唯一名稱。Name: Enter a unique name for the role group.

    • 描述: 輸入角色群組的選用描述。Description: Enter an optional description for the role group.

    • 寫入範圍: 預設值為預設值, 但您也可以選取您已建立的自訂收件者寫入範圍。Write scope: The default value is Default, but you can also select a custom recipient write scope that you've already created.

    • 角色: 按一下**** ![新增新增 ] 圖示, 選取您要指派給新視窗中的角色群組的角色。Roles: Click Add Add icon to select the roles that you want to be assigned to the role group in the new window that appears.

    • 成員: 按一下**** ![新增新增圖示], 以選取您要新增至新視窗中所顯示的角色群組的成員。Members: Click Add Add icon to select the members that you want to add to the role group in the new window that appears. 您可以選取 [使用者]、[通用安全性群組] (Usg) 或其他角色群組 (安全性主體)。You can select users, universal security groups (USGs), or other role groups (security principals).

    完成作業後, 按一下 [儲存] 以建立角色群組。When you're finished, click Save to create the role group.

使用 Exchange Online PowerShell 建立角色群組Use Exchange Online PowerShell to create a role group

若要建立新的角色群組, 請使用下列語法:To create a new role group, use the following syntax:

New-RoleGroup -Name "Unique Name" -Description "Descriptive text" -Roles <"Role1","Role2"...> -ManagedBy <Managers> -Members <Members> -CustomRecipientWriteScope "<Existing Write Scope Name>"
  • _Roles_參數會指定要指派給角色群組的管理角色, 方法是使用下列語法"Role1","Role1",..."RoleN"The Roles parameter specifies the management roles to assign to the role group by using the following syntax "Role1","Role1",..."RoleN". 您可以使用get-managementrole指令程式來查看可用的角色。You can see the available roles by using the Get-ManagementRole cmdlet.

  • _Members_參數會指定角色群組的成員, 方法是使用下列語法: "Member1","Member2",..."MemberN"The Members parameter specifies the members of the role group by using the following syntax: "Member1","Member2",..."MemberN". 您可以指定使用者、通用安全性群組 (Usg) 或其他角色群組 (安全性主體)。You can specify users, universal security groups (USGs), or other role groups (security principals).

  • _ManagedBy_參數會指定可修改及移除角色群組的代理人, 方法是使用下列語法: "Delegate1","Delegate2",..."DelegateN"The ManagedBy parameter specifies the delegates who can modify and remove the role group by using the following syntax: "Delegate1","Delegate2",..."DelegateN". 請注意, EAC 中無法使用此設定。Note that this setting isn't available in the EAC.

  • _CustomRecipientWriteScope_參數會指定要套用至角色群組的現有自訂收件者寫入範圍。The CustomRecipientWriteScope parameter specifies the existing custom recipient write scope to apply to the role group. 您可以使用new-managementscope 程式指令程式, 查看可用的自訂收件者寫入範圍。You can see the available custom recipient write scopes by using the Get-ManagementScope cmdlet.

此範例會使用下列設定建立名為「受限的收件者管理」的新角色群組:This example creates a new role group named "Limited Recipient Management" with the following settings:

  • 會將郵件收件者和啟用郵件功能的公用資料夾角色指派給角色群組。The Mail Recipients and Mail Enabled Public Folders roles are assigned to the role group.

  • 使用者 Kim 和聖馬丁會新增為成員。The users Kim and Martin are added as members. 因為未指定自訂收件者寫入範圍, 所以 Kim 和聖馬丁可以管理組織中的任何收件者。Because no custom recipient write scope was specified, Kim and Martin can manage any recipient in the organization.

New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients","Mail Enabled Public Folders" -Members "Kim","Martin"

這個範例與自訂收件者寫入範圍相同, 這表示 Kim 和聖馬丁只能管理西雅圖收件者範圍 (其City屬性設定為「西雅圖」的收件者) 中所含的收件者。This is the same example with a custom recipient write scope, which means Kim and Martin can only manage recipients that are included in the Seattle Recipients scope (recipients who have their City property set to the value Seattle).

New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients","Mail Enabled Public Folders" -Members "Kim","Martin" -CustomRecipientWriteScope "Seattle Recipients"

如需詳細的語法及參數資訊, 請new-rolegroupFor detailed syntax and parameter information, New-RoleGroup.

如何知道這是否正常運作?How do you know this worked?

若要確認您是否已成功建立角色群組, 請執行下列其中一個步驟:To verify that you've successfully created a role group, do either of the following steps:

  • 在 EAC 中, 移至 [許可權>管理員角色], 選取您建立的新角色群組, 然後驗證詳細資料窗格中的設定, 或](../media/ITPro_EAC_EditIcon.png)按一下 [編輯 ![編輯] 圖示來驗證設定。In the EAC, go to Permissions > Admin Roles, select the new role group you created, and verify the settings in the Details pane or click Edit Edit icon to verify the settings.

  • 在 Exchange Online PowerShell 中, <以角色群組>的名稱取代角色組名, 並執行下列命令來驗證設定:In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the following command to verify the settings:

    Get-RoleGroup -Identity "<Role Group Name>" | Format-List
    

複製現有的角色群組Copy existing role groups

如果現有的角色群組與您要指派給使用者的許可權和設定有關, 您可以複製現有的角色群組, 並修改該複本以符合您的需求。If an existing role group is close in terms of the permissions and settings that you want to assign to users, you can copy the existing role group and modify the copy to suit your needs.

使用 EAC 複製角色群組Use the EAC to copy a role group

附注: 如果您已使用 Exchange Online PowerShell 在角色群組上設定多個範圍或獨佔範圍, 則無法使用 EAC 複製角色群組。Note: You can't use the EAC to copy a role group if you've used Exchange Online PowerShell to configure multiple scopes or exclusive scopes on the role group. 若要複製具有這些設定的角色群組, 您必須使用 Exchange Online PowerShell。To copy role groups that have these settings, you need to use Exchange Online PowerShell.

  1. 在 EAC 中, 移至 [許可權 > ] [管理員角色]。In the EAC, go to Permissions > Admin Roles.

  2. 選取您要複製的角色群組, 然後按一下 [複製 複製圖示]。Select the role group that you want to copy and then click Copy Copy icon.

  3. 在出現的 [新增角色群組] 視窗中, 設定下列設定:In the New role group window that appears, configure the following settings:

    • 名稱: 預設值為「 _ <角色組名>_ 的複本」, 但您可以輸入角色群組的唯一名稱。Name: The default value is "Copy of <Role Group Name>, but you can enter a unique name for the role group.

    • 描述: 現有的描述是存在的, 但您可以變更它。Description: The existing description is present, but you can change it.

    • 寫入範圍: 已選取現有的寫入範圍, 但是您可以選取您已建立的預設或其他自訂收件者寫入範圍。Write scope: The existing write scope is selected, but you can select Default or another custom recipient write scope that you've already created.

    • 角色: 按一下 [新增 新增圖示] 或移除 ITPro_EAC_RemoveIcon , 以修改指派給角色群組的角色。Roles: Click Add Add icon or Remove ITPro_EAC_RemoveIcon.png to modify the roles that are assigned to the role group.

    • 成員: 按一下 [新增 新增圖示] 或移除 ITPro_EAC_RemoveIcon , 以修改角色群組成員資格。Members: Click Add Add icon or Remove ITPro_EAC_RemoveIcon.png to modify the role group membership.

    完成作業後, 按一下 [儲存] 以建立角色群組。When you're finished, click Save to create the role group.

使用 Exchange Online PowerShell 複製角色群組Use Exchange Online PowerShell to copy a role group

  1. 使用下列語法, 儲存要在變數中複製的角色群組:Store the role group that you want to copy in a variable using the following syntax:

    $RoleGroup = Get-RoleGroup "<Existing Role Group Name>"
    
  2. 使用下列語法建立新的角色群組:Create the new role group using the following syntax:

    New-RoleGroup -Name "<Unique Name>" -Roles $RoleGroup.Roles [-Members <Members>] [-ManagedBy <Managers>] [-CustomRecipientWriteScope "<Existing Custom Recipient Write Scope Name>"]
    
    • _Members_參數會指定角色群組的成員, 方法是使用下列語法: "Member1","Member2",..."MemberN"The Members parameter specifies the members of the role group by using the following syntax: "Member1","Member2",..."MemberN". 您可以指定使用者、通用安全性群組 (Usg) 或其他角色群組 (安全性主體)。You can specify users, universal security groups (USGs), or other role groups (security principals).
    • _ManagedBy_參數會指定可修改及移除角色群組的代理人, 方法是使用下列語法: "Delegate1","Delegate2",..."DelegateN"The ManagedBy parameter specifies the delegates who can modify and remove the role group by using the following syntax: "Delegate1","Delegate2",..."DelegateN". 請注意, EAC 中無法使用此設定。Note that this setting isn't available in the EAC.
    • _CustomRecipientWriteScope_參數會指定要套用至角色群組的現有自訂收件者寫入範圍。The CustomRecipientWriteScope parameter specifies the existing custom recipient write scope to apply to the role group. 您可以使用new-managementscope 程式指令程式, 查看可用的自訂收件者寫入範圍。You can see the available custom recipient write scopes by using the Get-ManagementScope cmdlet.

此範例會將組織管理角色群組複製到名為「有限的組織管理」的新角色群組。This example copies the Organization Management role group to the new role group named "Limited Organization Management". 角色群組成員是 Isabelle、Carter 和 Lukas, 而角色群組代理人是 Jenny 和 Katie。The role group members are Isabelle, Carter, and Lukas and the role group delegates are Jenny and Katie.

$RoleGroup = Get-RoleGroup "Organization Management"
New-RoleGroup "Limited Organization Management" -Roles $RoleGroup.Roles -Members "Isabelle","Carter","Lukas" -ManagedBy "Jenny","Katie"

此範例會將組織管理角色群組複製到名為「擁有者」的「擁有者」自訂收件者寫入範圍的新角色群組。This example copies the Organization Management role group to the new role group called Vancouver Organization Management with the Vancouver Users recipient custom recipient write scope.

$RoleGroup = Get-RoleGroup "Organization Management"
New-RoleGroup "Vancouver Organization Management" -Roles $RoleGroup.Roles -CustomRecipientWriteScope "Vancouver Users"

如需詳細的語法及參數資訊, 請new-rolegroupFor detailed syntax and parameter information, New-RoleGroup.

如何知道這是否正常運作?How do you know this worked?

若要確認您是否已成功複製角色群組, 請執行下列其中一個步驟:To verify that you've successfully copied a role group, do either of the following steps:

  • 在 EAC 中, 移至 [許可權>管理員角色], 選取您建立的新角色群組, 然後驗證詳細資料窗格中的設定, 或](../media/ITPro_EAC_EditIcon.png)按一下 [編輯 ![編輯] 圖示來驗證設定。In the EAC, go to Permissions > Admin Roles, select the new role group you created, and verify the settings in the Details pane or click Edit Edit icon to verify the settings.

  • 在 Exchange Online PowerShell 中, <以角色群組>的名稱取代角色組名, 並執行下列命令來驗證設定:In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the following command to verify the settings:

    Get-RoleGroup -Identity "<Role Group Name>" | Format-List
    

修改角色群組Modify role groups

使用 EAC 來修改角色群組Use the EAC to modify role groups

  1. 在 EAC 中, 移至 [許可權 > ] [管理員角色], 選取您要修改的角色群組, 然後按一下 編輯 ![編輯圖示]。In the EAC, go to Permissions > Admin Roles, select the role group you want to modify, and then click Edit Edit icon.

當您在[建立角色群組](Use the EAC to create role groups)時, 修改角色群組時, 可以使用相同的選項。The same options are available when you modify role groups as when you [create role groups](Use the EAC to create role groups). 您可以:You can:

  • 變更名稱和描述。Change the name and description.

  • 變更寫入範圍 (如果您已建立自訂收件者寫入範圍)。Change the write scope (if you've created custom recipient write scopes).

  • 新增和移除管理角色 (建立或移除角色指派)。Add and remove management roles (create or remove role assignments).

  • 新增和移除成員。Add and remove members.

附註Notes:

  • 如果您已使用 Exchange Online PowerShell 在角色群組上設定多個範圍或獨佔範圍, 則無法使用 EAC 修改角色群組的寫入範圍、角色和成員。You can't use the EAC to modify the write scope, roles and members of a role group if you've used Exchange Online PowerShell to configure multiple scopes or exclusive scopes on the role group. 若要修改這些角色群組的設定, 您必須使用 Exchange Online PowerShell。To modify the settings of these role groups, you need to use Exchange Online PowerShell.

  • 部分角色群組 (例如, 「組織管理」角色群組) 會限制您可以從群組中移除的角色。Some role groups (for example, the Organization Management role group) restrict the roles that you can remove from group.

  • 您可以在 EAC 中新增或移除角色群組的代理人。You can add or remove delegates to a role group in the EAC. 您只可以使用 Exchange Online PowerShell。You can only use Exchange Online PowerShell.

使用 Exchange Online PowerShell 將角色新增至角色群組 (建立角色指派)Use Exchange Online PowerShell to add roles to role groups (create role assignments)

若要在 Exchange Online PowerShell 中將角色新增至角色群組, 您可以使用下列語法來建立_管理角色指派_:To add roles to role groups in Exchange Online PowerShell, you create management role assignments by using the following syntax:

New-ManagementRoleAssignment [-Name "<Unique Name>"] -SecurityGroup "<Role Group Name>" -Role "<Role Name>" [-RecipientRelativeWriteScope <MyGAL | MyDistributionGroups | Organization | Self>] [-CustomRecipientWriteScope "<Role Scope Name>]
  • 如果您沒有指定角色指派名稱, 則會自動建立。The role assignment name is created automatically if you don't specify one.

  • 如果您不使用_RecipientRelativeWriteScope_參數, 角色的隱含讀取範圍和隱含寫入範圍會套用至角色指派。If you don't use the RecipientRelativeWriteScope parameter, the implicit read scope and implicit write scope of the role is applied to the role assignment.

  • 如果預先定義的範圍符合您的業務需求, 您可以使用_RecipientRelativeWriteScope_參數將範圍套用至角色指派。If a predefined scope meets your business requirements, you can use the RecipientRelativeWriteScope parameter to apply the scope to the role assignment.

  • 若要套用自訂收件者寫入範圍, 請使用_CustomRecipientWriteScope_參數。To apply a custom recipient write scope, use the CustomRecipientWriteScope parameter.

本範例將「傳輸規則」管理角色指派給「西雅圖規範」角色群組。This example assigns the Transport Rules management role to the Seattle Compliance role group.

New-ManagementRoleAssignment -SecurityGroup "Seattle Compliance" -Role "Transport Rules"

本範例將「郵件追蹤」角色指派給「企業支援」角色群組,並套用「組織」預先定義的範圍。This example assigns the Message Tracking role to the Enterprise Support role group and applies the Organization predefined scope.

New-ManagementRoleAssignment -SecurityGroup "Enterprise Support" -Role "Message Tracking" -RecipientRelativeWriteScope Organization

本範例將「郵件追蹤」角色指派給「西雅圖收件者管理員」角色群組,並套用「西雅圖收件者」範圍。This example assigns the Message Tracking role to the Seattle Recipient Admins role group and applies the Seattle Recipients scope.

New-ManagementRoleAssignment -SecurityGroup "Seattle Recipient Admins" -Role "Message Tracking" -CustomRecipientWriteScope "Seattle Recipients"

如需詳細的語法及參數資訊,請參閱 New-ManagementRoleAssignmentFor detailed syntax and parameter information, see New-ManagementRoleAssignment.

使用 Exchange Online PowerShell 從角色群組中移除角色 (移除角色指派)Use Exchange Online PowerShell to remove roles from role groups (remove role assignments)

若要在 Exchange Online PowerShell 中移除角色群組中的角色, 您可以使用下列語法移除_管理角色指派_:To remove roles from role groups in Exchange Online PowerShell, you remove management role assignments by using the following syntax:

Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" -Role "<Role Name>" -Delegating <$true | $false> | Remove-ManagementRoleAssignment
  • 若要移除將許可權授與使用者的_一般_角色指派, 請$false使用_委派_參數的值。To remove regular role assignments that grant permissions to users, use the value $false for the Delegating parameter.

  • 若要移除允許將角色指派給其他人的_委派_角色指派, 請使用$true _委派_參數的值。To remove delegating role assignments that allow the role to be assigned to others, use the value $true for the Delegating parameter.

此範例會從「西雅圖收件者系統管理員」角色群組中移除通訊群組角色。This example removes the Distribution Groups role from the Seattle Recipient Administrators role group.

Get-ManagementRoleAssignment -RoleAssignee "Seattle Recipient Administrators" -Role "Distribution Groups" -Delegating $false | Remove-ManagementRoleAssignment

如需詳細的語法及參數資訊,請參閱 Remove-ManagementRoleAssignmentFor detailed syntax and parameter information, see Remove-ManagementRoleAssignment.

使用 Exchange Online PowerShell 修改角色群組中角色指派的範圍Use Exchange Online PowerShell to modify the scope of role assignments in role groups

角色群組中角色指派的寫入範圍會定義角色群組的成員可以操作的物件 (例如, 所有使用者, 或只是City屬性的值為范上的使用者)。The write scope of a role assignment in a role group defines the objects that the members of the role group can operate on (for example, all users, or only the users whose City property has the value Vancouver). 您可以修改指派給角色群組之角色的寫入範圍, 以:You can modify the write scope of the roles assigned to a role group to:

  • 角色本身的隱含範圍。The implicit scope from the roles themselves. 這表示當您建立角色群組時, 未指定任何自訂範圍, 或您將現有角色群組中所有角色指派的值設為值$nullThis means you didn't specify any custom scopes when you created the role group, or you set the value of all role assignments in an existing role group to the value $null.

  • 所有角色指派的相同自訂範圍。The same custom scope for all role assignments.

  • 每個個別角色指派的不同自訂範圍。Different custom scopes for each individual role assignment.

若要同時在角色群組上的所有角色指派上設定範圍, 請使用下列語法:To set the scope on all of the role assignments on a role group at the same time, use the following syntax:

Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Set-ManagementRoleAssignment [-CustomRecipientWriteScope "<Recipient Write Scope Name>"] [-RecipientRelativeScopeWriteScope <MyDistributionGroups | Organization | Self>] [-ExclusiveRecipientWriteScope "<Exclusive Recipient Write Scope name>"]

此範例會將「銷售收件者管理」角色群組上所有角色指派的收件者範圍變更為「直接銷售員工」。This example changes the recipient scope for all role assignments on the Sales Recipient Management role group to Direct Sales Employees.

Get-ManagementRoleAssignment -RoleAssignee "Sales Recipient Management" | Set-ManagementRoleAssignment -CustomRecipientWriteScope "Direct Sales Employees"

若要變更角色群組與管理角色之間個別角色指派的範圍, 請執行下列步驟:To change the scope on an individual role assignment between a role group and a management role, do the following steps:

  1. 將<角色組名>取代為角色群組的名稱, 並執行下列命令, 以找出角色群組上所有角色指派的名稱:Replace <Role Group Name> with the name of the role group and run the following command to find the names of all the role assignments on the role group:

    Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Format-List Name
    
  2. 尋找您要變更的角色指派名稱。Find the name of the role assignment you want to change. 在下一個步驟中使用角色指派的名稱。Use the name of the role assignment in the next step.

  3. 若要在個別角色指派上設定範圍, 請使用下列語法:To set the scope on the individual role assignment, use the following syntax:

    Set-ManagementRoleAssignment -Identity "<Role Assignment Name"> [-CustomRecipientWriteScope "<Recipient Write Scope Name>"] [-RecipientRelativeScopeWriteScope <MyDistributionGroups | Organization | Self>] [-ExclusiveRecipientWriteScope "<Exclusive Recipient Write Scope name>"]
    

此範例會將名為 Mail Recipients_Sales 收件者管理之角色指派的收件者範圍變更為所有銷售員工。This example changes the recipient scope for the role assignment named Mail Recipients_Sales Recipient Management to All Sales Employees.

```
Set-ManagementRoleAssignment "Mail Recipients_Sales Recipient Management" -CustomRecipientWriteScope "All Sales Employees"
```

如需詳細的語法及參數資訊,請參閱 Set-ManagementRoleAssignmentFor detailed syntax and parameter information, see Set-ManagementRoleAssignment.

使用 Exchange Online PowerShell 修改角色群組中的代理人清單Use Exchange Online PowerShell modify the list of delegates in role groups

角色群組委派會定義允許修改和刪除角色群組的人員。Role group delegates define who is allowed to modify and delete the role group. 您無法管理 EAC 中的角色群組委派。You can't manage role group delegates in the EAC.

若要修改角色群組中的代理人清單, 請使用下列語法:To modify the list of delegates in a role group, use the following syntax:

Set-RoleGroup -Identity "<Role Group Name>" -ManagedBy <Delegates>
  • 若要將現有的代理人清單_取代_為您指定的值, 請使用下列語法"Delegate1","Delegate2",..."DelegateN":。To replace the existing list of delegates with the values you specify, use the following syntax: "Delegate1","Delegate2",..."DelegateN".

  • 若要_選擇性地修改_現有的代理人清單, 請使用下列語法@{Add="Delegate1","Delegate2"...; Remove="Delegate3","Delegate4"...}:。To selectively modify the existing list of delegates, use the following syntax: @{Add="Delegate1","Delegate2"...; Remove="Delegate3","Delegate4"...}.

此範例會以指定的使用者取代服務台角色群組的所有目前代理人。This example replaces all current delegates of the Help Desk role group with the specified users.

Set-RoleGroup -Identity "Help Desk" -ManagedBy "Gabriela Laureano","Hyun-Ae Rim","Jacob Berger"

此範例會新增 Daigoro Akai, 並從服務台角色群組上的代理人清單中移除 Valeria Barrio。This example adds Daigoro Akai and removes Valeria Barrio from the list of delegates on the Help Desk role group.

Set-RoleGroup -Identity "Help Desk" -ManagedBy @{Add="Daigoro Akai"; Remove="Valeria Barrios"}

如需詳細的語法及參數資訊,請參閱 Set-RoleGroupFor detailed syntax and parameter information, see Set-RoleGroup.

使用 Exchange Online PowerShell 修改角色群組中的成員清單Use Exchange Online PowerShell modify the list of members in role groups

  • Add-rolegroupmemberremove-add-rolegroupmember Cmdlet 會一次新增或移除個別成員。The Add-RoleGroupMember and Remove-RoleGroupMember cmdlets add or remove individual members one at a time. Add-rolegroupmember 指令程式可以取代或修改現有的成員清單。The Update-RoleGroupMember cmdlet can replace or modify the existing list of members.

  • 角色群組的成員可以是使用者、通用安全性群組 (Usg) 或其他角色群組 (安全性主體)。The members of a role group can be users, universal security groups (USGs), or other role groups (security principals).

若要修改角色群組的成員, 請使用下列語法:To modify the members of a role group, use the following syntax:

Update-RoleGroupMember -Identity "<Role Group Name>" -Members <Members> [-BypassSecurityGroupManagerCheck]
  • 若要將現有的成員清單_取代_為您指定的值, 請使用下列語法"Member1","Member2",..."MemberN":。To replace the existing list of members with the values you specify, use the following syntax: "Member1","Member2",..."MemberN".

  • 若要_選擇性地修改_現有的成員清單, 請使用下列語法@{Add="Member1","Member2"...; Remove="Member3","Member4"...}:。To selectively modify the existing list of members, use the following syntax: @{Add="Member1","Member2"...; Remove="Member3","Member4"...}.

此範例會以指定的使用者取代服務台角色群組的所有目前成員。This example replaces all current members of the Help Desk role group with the specified users.

Update-RoleGroupMember -Identity "Help Desk" -Members "Gabriela Laureano","Hyun-Ae Rim","Jacob Berger"

此範例會新增 Daigoro Akai, 並從服務台角色群組的成員清單中移除 Valeria Barrio。This example adds Daigoro Akai and removes Valeria Barrio from the list of members on the Help Desk role group.

Update-RoleGroupMember -Identity "Help Desk" -Members @{Add="Daigoro Akai"; Remove="Valeria Barrios"}

如需詳細的語法及參數資訊, 請參閱add-rolegroupmemberFor detailed syntax and parameter information, see Update-RoleGroupMember.

如何知道這是否正常運作?How do you know this worked?

若要確認您是否已成功修改角色群組, 請執行下列任一步驟:To verify that you've successfully modified a role group, do any of the following steps:

  • 在 EAC 中, 移至 [許可權>管理員角色], 選取您建立的新角色群組, 然後驗證詳細資料窗格中的設定, 或](../media/ITPro_EAC_EditIcon.png)按一下 [編輯 ![編輯] 圖示來驗證設定。In the EAC, go to Permissions > Admin Roles, select the new role group you created, and verify the settings in the Details pane or click Edit Edit icon to verify the settings.

  • 在 Exchange Online PowerShell 中, <以角色群組>的名稱取代角色組名, 並執行下列命令來驗證設定:In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the following command to verify the settings:

    Get-RoleGroup -Identity "<Role Group Name>" | Format-List
    
  • 在 Exchange Online PowerShell 中, <以角色群組>的名稱取代角色組名, 並執行下列命令來驗證設定:In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the following command to verify the settings:

    Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Format-Table *WriteScope
    

移除角色群組Remove role groups

您無法移除內建的角色群組, 但是您可以移除已建立的自訂角色群組。You can't remove built-in role groups, but you can remove custom role groups that you've created.

附註Notes:

  • 當您移除角色群組時, 會刪除角色群組和管理角色之間的管理角色指派。When you remove a role group, the management role assignments between the role group and the management roles are deleted. 指派給角色群組的任何管理角色都不會被刪除。Any management roles that are assigned to the role group aren't deleted.

  • 如果使用者依賴角色群組來存取功能, 則在您刪除角色群組之後, 使用者將無法再存取該功能。If a user depends on the role group for access to a feature, the user will no longer have access to the feature after you delete the role group.

使用 EAC 移除角色群組Use the EAC to remove a role group

  1. 在 EAC 中, 移至 [許可權 > ] [管理員角色]。In the EAC, go to Permissions > Admin Roles.

  2. 選取您要移除的角色群組, 然後按一下 [刪除 刪除圖示]。Select the role group you want to remove and then click Delete Delete icon.

  3. 在出現的確認視窗中, 按一下 [是]Click Yes in the confirmation window that appears.

使用 Exchange Online PowerShell 移除角色群組Use Exchange Online PowerShell to remove a role group

若要移除自訂角色群組, 請使用下列語法:To remove a custom role group, use the following syntax:

Remove-RoleGroup -Identity "<Role Group Name>" [-BypassSecurityGroupManagerCheck]

本範例移除「訓練系統管理員」角色群組。This example removes the Training Administrators role group.

Remove-RoleGroup -Identity "Training Administrators"

本範例移除「溫哥華收件者系統管理員」角色群組。This example removes the Vancouver Recipient Administrators role group. 因為執行命令的使用者並未在角色群組的ManagedBy屬性中定義, 所以命令中必須有_BypassSecurityGroupManagerCheck_參數。Because the user running the command isn't defined in the ManagedBy property of the role group, the BypassSecurityGroupManagerCheck switch is required in the command. 執行命令的使用者會被指派角色管理角色, 讓使用者略過安全性群組管理員檢查。The user that's running the command is assigned the Role Management role, which enables the user to bypass the security group manager check.

Remove-RoleGroup - Identity "Vancouver Recipient Administrators" -BypassSecurityGroupManagerCheck

如需詳細的語法及參數資訊,請參閱 Remove-RoleGroupFor detailed syntax and parameter information, see Remove-RoleGroup.

如何知道這是否正常運作?How do you know this worked?

若要確認您已移除角色群組, 請執行下列其中一個步驟:To verify that you've removed a role group, do either of the following steps:

  • 在 EAC 中, 移至 [許可權 > ] [管理員角色], 然後確認該角色群組不再列出。In the EAC, go to Permissions > Admin Roles and verify that the role group is no longer listed.

  • 在 Exchange Online PowerShell 中, 執行下列命令, 確認不再列出該角色群組:In Exchange Online PowerShell, run the following command to verify the role group is no longer listed:

    Get-RoleGroup