管理 Exchange Online 中的角色群組Manage role groups in Exchange Online

角色群組是一種特殊的萬用安全性群組 (USG) 使用中的角色型存取控制 (RBAC) 權限模型在 Exchange Online。A role group is a special kind of universal security group (USG) that's used in the Role Based Access Control (RBAC) permissions model in Exchange Online. 管理角色群組簡化的工作分派和維護的 Exchange Online 中的使用者權限。Management role groups simplify the assignment and maintenance of permissions to users in Exchange Online. 角色群組的成員指派組相同的角色,且您新增並將它們以新增或移除角色群組中移除使用者權限。The members of the role group are assigned the same set of roles, and you add and remove permissions from users by adding them to or removing them from the role group. 如需 Exchange Online 中的角色群組的詳細資訊,請參閱 < Exchange Online 中的權限For more information about role groups in Exchange Online, see Permissions in Exchange Online.

開始之前有哪些須知?What do you need to know before you begin?

  • 完成每項程序預估時間: 5 至 10 分鐘Estimated time to complete each procedure: 5 to 10 minutes

  • 若要開啟 Exchange 系統管理中心 (EAC),請參閱Exchange 系統管理中心在 Exchange OnlineTo open the Exchange admin center (EAC), see Exchange admin center in Exchange Online. 若要開啟 [Exchange Online PowerShell,請參閱 < Connect to Exchange Online PowerShellTo open Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

  • 本主題中的程序需要 「 角色管理 」 RBAC 角色在 Exchange Online。The procedures in this topic require the Role Management RBAC role in Exchange Online. 一般而言,您的組織管理角色群組 (Office 365 全域系統管理員角色) 中取得成員資格透過此權限。Typically, you get this permission via membership in the Organization Management role group (the Office 365 Global administrator role).

  • 適用於此主題中程序的鍵盤快速鍵相關資訊,請參閱在 Exchange 系統管理中心的鍵盤快速鍵For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts for the Exchange admin center.

提示

有問題嗎?Having problems? 在 Exchange 論壇中尋求協助。Ask for help in the Exchange forums. 請造訪論壇,網址:Exchange OnlineExchange Online ProtectionVisit the forums at: Exchange Online, or Exchange Online Protection.

檢視角色群組View role groups

使用 EAC 來檢視角色群組Use the EAC to view role groups

  1. 在 EAC 中,前往 [權限 > 系統管理員角色In the EAC, go to Permissions > Admin Roles. 所有在您的組織中的角色群組都會列在這裡。All of the role groups in your organization are listed here.

  2. 選取角色群組。Select a role group. 詳細資料窗格中顯示的名稱描述已指派角色成員管理者],和角色群組的寫入範圍The Details pane shows the Name, Description, Assigned roles, Members, Managed by, and Write scope of the role group. 您也可以查看此資訊],即可編輯編輯圖示You can also see this information by clicking Edit Edit icon.

使用 Exchange Online PowerShell 來檢視角色群組Use Exchange Online PowerShell to view role groups

若要檢視角色群組,請使用下列語法:To view a role group, use the following syntax:

Get-RoleGroup [-Identity "<Role Group Name>"] [-Filter <Filter>]

此範例會傳回所有角色群組的摘要清單。This example returns a summary list of all role groups.

Get-RoleGroup

此範例會傳回名為收件者系統管理員角色群組的詳細的資訊。This example returns detailed information for the role group named Recipient Administrators.

Get-RoleGroup -Identity "Recipient Administrators" | Format-List

此範例會傳回所有角色群組的使用者許所在成員。This example returns all role groups where the user Julia is a member. 您需要使用許,您可以執行此命令來尋找 DistinguishedName (DN) 值: Get-User -Identity Julia | Format-List DistinguishedNameYou need to use the DistinguishedName (DN) value for Julia, which you can find by running the command: Get-User -Identity Julia | Format-List DistinguishedName.

Get-RoleGroup -Filter {Members -eq 'CN=Julia,OU=contoso.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR001,DC=PROD,DC=OUTLOOK,DC=COM'}

如需詳細的語法及參數資訊,請參閱Get-rolegroupFor detailed syntax and parameter information, see Get-RoleGroup.

建立角色群組Create role groups

當您建立新的角色群組時,您需要設定的所有設定自行 (期間建立的群組或之後)。When you create a new role group, you need to configure all of the settings yourself (during the creation of the group or after). 若要開始使用現有的角色群組的組態,並對其進行修改,請參閱複製現有的角色群組To start with the configuration of an existing role group and modify it, see Copy existing role groups.

使用 EAC 來建立角色群組Use the EAC to create role groups

  1. 在 EAC 中,前往 [權限 > 系統管理員角色,然後按一下 [新增加入圖示In the EAC, go to Permissions > Admin Roles and then click Add Add icon.

  2. 在出現 [新角色群組] 視窗中,設定下列設定:In the New role group window that appears, configure the following settings:

    • 名稱: 輸入角色群組的唯一名稱。Name: Enter a unique name for the role group.

    • 描述: 輸入角色群組的選用描述。Description: Enter an optional description for the role group.

    • 寫入範圍: 預設值為預設值,但您也可以選取您已建立的自訂收件者寫入範圍。Write scope: The default value is Default, but you can also select a custom recipient write scope that you've already created.

    • 角色: 按一下 [新增加入圖示以選取您想要指派給角色群組,在出現的新視窗中的角色。Roles: Click Add Add icon to select the roles that you want to be assigned to the role group in the new window that appears.

    • 成員: 按一下 [新增加入圖示以選取您想要新增至在出現的新視窗中的角色群組的成員。Members: Click Add Add icon to select the members that you want to add to the role group in the new window that appears. 您可以選取使用者、 萬用安全性群組 (Usg),或其他角色群組 (安全性主體)。You can select users, universal security groups (USGs), or other role groups (security principals).

    當您完成時,按一下 [儲存] 以建立角色群組。When you're finished, click Save to create the role group.

使用 Exchange Online PowerShell 來建立角色群組Use Exchange Online PowerShell to create a role group

若要建立新的角色群組,請使用下列語法:To create a new role group, use the following syntax:

New-RoleGroup -Name "Unique Name" -Description "Descriptive text" -Roles <"Role1","Role2"...> -ManagedBy <Managers> -Members <Members> -CustomRecipientWriteScope "<Existing Write Scope Name>"
  • _角色_參數會指定的管理角色指派給角色群組使用下列語法"Role1","Role1",..."RoleN"The Roles parameter specifies the management roles to assign to the role group by using the following syntax "Role1","Role1",..."RoleN". 您可以使用Get-managementrole指令程式來查看可用的角色。You can see the available roles by using the Get-ManagementRole cmdlet.

  • _成員_參數會指定的角色群組的成員可以使用下列語法: "Member1","Member2",..."MemberN"The Members parameter specifies the members of the role group by using the following syntax: "Member1","Member2",..."MemberN". 您可以指定使用者、 萬用安全性群組 (Usg) 或其他角色群組 (安全性主體)。You can specify users, universal security groups (USGs), or other role groups (security principals).

  • _ManagedBy_參數會指定可以修改,並使用下列語法移除角色群組的委派: "Delegate1","Delegate2",..."DelegateN"The ManagedBy parameter specifies the delegates who can modify and remove the role group by using the following syntax: "Delegate1","Delegate2",..."DelegateN". 請注意此設定無法在 EAC 中使用。Note that this setting isn't available in the EAC.

  • _CustomRecipientWriteScope_參數會指定現有的自訂收件者寫入範圍若要套用至角色群組。The CustomRecipientWriteScope parameter specifies the existing custom recipient write scope to apply to the role group. 您可以查看可以使用自訂收件者寫入範圍使用Get-managementscope指令程式。You can see the available custom recipient write scopes by using the Get-ManagementScope cmdlet.

此範例會建立具有下列設定名為 「 限制的收件者管理 」 的新角色群組:This example creates a new role group named "Limited Recipient Management" with the following settings:

  • 「 郵件收件者與 Mail Enabled Public Folders 角色被指派給角色群組。The Mail Recipients and Mail Enabled Public Folders roles are assigned to the role group.

  • 使用者 Kim 和 Martin 會新增為成員。The users Kim and Martin are added as members. 指定沒有自訂的收件者寫入範圍,所以 Kim 和 Martin 可以管理組織中的任何收件者。Because no custom recipient write scope was specified, Kim and Martin can manage any recipient in the organization.

New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients","Mail Enabled Public Folders" -Members "Kim","Martin"

這是相同的範例,具有自訂收件者寫入範圍,這表示 Kim 和 Martin 只能管理 Seattle 的收件者範圍 (收件者有其縣/市] 屬性設定為值 Seattle) 中包含的收件者。This is the same example with a custom recipient write scope, which means Kim and Martin can only manage recipients that are included in the Seattle Recipients scope (recipients who have their City property set to the value Seattle).

New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients","Mail Enabled Public Folders" -Members "Kim","Martin" -CustomRecipientWriteScope "Seattle Recipients"

如需詳細的語法及參數資訊, New-rolegroupFor detailed syntax and parameter information, New-RoleGroup.

如何知道這是否正常運作?How do you know this worked?

若要確認您是否已成功建立角色群組,執行下列步驟:To verify that you've successfully created a role group, do either of the following steps:

  • 在 EAC 中,前往 [權限 > 系統管理員角色],選取新的角色群組建立,並確認在詳細資料窗格中的設定,或按一下 [編輯編輯圖示以驗證設定。In the EAC, go to Permissions > Admin Roles, select the new role group you created, and verify the settings in the Details pane or click Edit Edit icon to verify the settings.

  • 在 Exchange Online PowerShell 中取代<角色群組名稱>的角色群組,並執行下列命令來確認設定名稱:In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the following command to verify the settings:

    Get-RoleGroup -Identity "<Role Group Name>" | Format-List
    

複製現有的角色群組Copy existing role groups

如果現有的角色群組是關閉方面的權限及您想要指派給使用者的設定,您可以複製現有角色群組,並修改以符合您需求的複本。If an existing role group is close in terms of the permissions and settings that you want to assign to users, you can copy the existing role group and modify the copy to suit your needs.

使用 EAC 複製角色群組Use the EAC to copy a role group

附註: 您無法使用 EAC 複製角色群組,如果您已使用 Exchange Online PowerShell 來設定多個範圍或獨佔範圍的角色群組上。Note: You can't use the EAC to copy a role group if you've used Exchange Online PowerShell to configure multiple scopes or exclusive scopes on the role group. 若要複製角色群組具有這些設定,您需要使用 Exchange Online PowerShell。To copy role groups that have these settings, you need to use Exchange Online PowerShell.

  1. 在 EAC 中,前往 [權限 > 系統管理員角色In the EAC, go to Permissions > Admin Roles.

  2. 選取您想要複製,然後按一下 [複製的角色群組複製圖示Select the role group that you want to copy and then click Copy Copy icon.

  3. 在出現 [新角色群組] 視窗中,設定下列設定:In the New role group window that appears, configure the following settings:

    • 名稱: 預設值為 「 複製的_<角色群組名稱>_,但您可以輸入角色群組的唯一名稱。Name: The default value is "Copy of <Role Group Name>, but you can enter a unique name for the role group.

    • 描述: 現有描述已存在,但您可以變更它。Description: The existing description is present, but you can change it.

    • 寫入範圍: 選取現有的寫入範圍,但您可以選取預設值] 或 [另一個您已建立的自訂收件者寫入範圍。Write scope: The existing write scope is selected, but you can select Default or another custom recipient write scope that you've already created.

    • 角色: 按一下 [新增加入圖示移除 ITPro_EAC_RemoveIcon.png修改指派給角色群組的角色。Roles: Click Add Add icon or Remove ITPro_EAC_RemoveIcon.png to modify the roles that are assigned to the role group.

    • 成員: 按一下 [新增加入圖示移除 ITPro_EAC_RemoveIcon.png修改角色群組成員資格。Members: Click Add Add icon or Remove ITPro_EAC_RemoveIcon.png to modify the role group membership.

    當您完成時,按一下 [儲存] 以建立角色群組。When you're finished, click Save to create the role group.

使用 Exchange Online PowerShell 來複製角色群組Use Exchange Online PowerShell to copy a role group

  1. 儲存您想要使用下列語法在變數中複製的角色群組:Store the role group that you want to copy in a variable using the following syntax:

    $RoleGroup = Get-RoleGroup "<Existing Role Group Name>"
    
  2. 建立新的角色群組,請使用下列語法:Create the new role group using the following syntax:

    New-RoleGroup -Name "<Unique Name>" -Roles $RoleGroup.Roles [-Members <Members>] [-ManagedBy <Managers>] [-CustomRecipientWriteScope "<Existing Custom Recipient Write Scope Name>"]
    
    • _成員_參數會指定的角色群組的成員可以使用下列語法: "Member1","Member2",..."MemberN"The Members parameter specifies the members of the role group by using the following syntax: "Member1","Member2",..."MemberN". 您可以指定使用者、 萬用安全性群組 (Usg) 或其他角色群組 (安全性主體)。You can specify users, universal security groups (USGs), or other role groups (security principals).
    • _ManagedBy_參數會指定可以修改,並使用下列語法移除角色群組的委派: "Delegate1","Delegate2",..."DelegateN"The ManagedBy parameter specifies the delegates who can modify and remove the role group by using the following syntax: "Delegate1","Delegate2",..."DelegateN". 請注意此設定無法在 EAC 中使用。Note that this setting isn't available in the EAC.
    • _CustomRecipientWriteScope_參數會指定現有的自訂收件者寫入範圍若要套用至角色群組。The CustomRecipientWriteScope parameter specifies the existing custom recipient write scope to apply to the role group. 您可以查看可以使用自訂收件者寫入範圍使用Get-managementscope指令程式。You can see the available custom recipient write scopes by using the Get-ManagementScope cmdlet.

本範例會將 「 組織管理 」 角色群組複製到名為 「 Limited Organization Management 」 的新角色群組。This example copies the Organization Management role group to the new role group named "Limited Organization Management". 角色群組成員所 Isabelle、 Carter 和 Lukas 和角色群組委派是 Jenny 和 katie 委派。The role group members are Isabelle, Carter, and Lukas and the role group delegates are Jenny and Katie.

$RoleGroup = Get-RoleGroup "Organization Management"
New-RoleGroup "Limited Organization Management" -Roles $RoleGroup.Roles -Members "Isabelle","Carter","Lukas" -ManagedBy "Jenny","Katie"

本範例會將 「 組織管理 」 角色群組複製到新的角色群組 Vancouver Users 收件者的自訂收件者寫入範圍與名為 Vancouver Organization Management。This example copies the Organization Management role group to the new role group called Vancouver Organization Management with the Vancouver Users recipient custom recipient write scope.

$RoleGroup = Get-RoleGroup "Organization Management"
New-RoleGroup "Vancouver Organization Management" -Roles $RoleGroup.Roles -CustomRecipientWriteScope "Vancouver Users"

如需詳細的語法及參數資訊, New-rolegroupFor detailed syntax and parameter information, New-RoleGroup.

如何知道這是否正常運作?How do you know this worked?

若要確認您是否已成功複製角色群組,執行下列步驟:To verify that you've successfully copied a role group, do either of the following steps:

  • 在 EAC 中,前往 [權限 > 系統管理員角色],選取新的角色群組建立,並確認在詳細資料窗格中的設定,或按一下 [編輯編輯圖示以驗證設定。In the EAC, go to Permissions > Admin Roles, select the new role group you created, and verify the settings in the Details pane or click Edit Edit icon to verify the settings.

  • 在 Exchange Online PowerShell 中取代<角色群組名稱>的角色群組,並執行下列命令來確認設定名稱:In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the following command to verify the settings:

    Get-RoleGroup -Identity "<Role Group Name>" | Format-List
    

修改角色群組Modify role groups

使用 EAC 來修改角色群組Use the EAC to modify role groups

  1. 在 EAC 中,前往 [權限 > 系統管理員角色],選取您要修改的角色群組,然後按一下 [編輯編輯圖示In the EAC, go to Permissions > Admin Roles, select the role group you want to modify, and then click Edit Edit icon.

當您修改角色群組,作為時,可以使用相同的選項[建立角色群組](Use the EAC to create role groups)。The same options are available when you modify role groups as when you [create role groups](Use the EAC to create role groups). 您可以:You can:

  • 變更的名稱與描述。Change the name and description.

  • 變更的寫入範圍 (如果您已建立的自訂收件者寫入範圍)。Change the write scope (if you've created custom recipient write scopes).

  • 新增及移除管理角色 (建立或移除角色指派)。Add and remove management roles (create or remove role assignments).

  • 新增及移除成員。Add and remove members.

附註Notes:

  • 您無法使用 EAC 來修改角色和成員的角色群組,如果您已使用 Exchange Online PowerShell 來設定多個範圍或獨佔範圍的角色群組上的寫入範圍。You can't use the EAC to modify the write scope, roles and members of a role group if you've used Exchange Online PowerShell to configure multiple scopes or exclusive scopes on the role group. 若要修改這些角色群組的設定,您需要使用 Exchange Online PowerShell。To modify the settings of these role groups, you need to use Exchange Online PowerShell.

  • 部分角色群組 (例如,組織管理角色群組) 會限制您可以從群組中移除的角色。Some role groups (for example, the Organization Management role group) restrict the roles that you can remove from group.

  • 您可以新增或移除角色群組的委派在 EAC 中。You can add or remove delegates to a role group in the EAC. 您只能使用 Exchange Online PowerShell。You can only use Exchange Online PowerShell.

若要將角色新增至角色群組 (建立角色指派) 使用 Exchange Online PowerShellUse Exchange Online PowerShell to add roles to role groups (create role assignments)

若要新增角色至角色群組在 Exchange Online PowerShell,您可以建立_管理角色指派_可以使用下列語法:To add roles to role groups in Exchange Online PowerShell, you create management role assignments by using the following syntax:

New-ManagementRoleAssignment [-Name "<Unique Name>"] -SecurityGroup "<Role Group Name>" -Role "<Role Name>" [-RecipientRelativeWriteScope <MyGAL | MyDistributionGroups | Organization | Self>] [-CustomRecipientWriteScope "<Role Scope Name>]
  • 如果您沒有指定,會自動建立角色指派名稱。The role assignment name is created automatically if you don't specify one.

  • 如果您不使用_RecipientRelativeWriteScope_參數,隱含讀取範圍隱含寫入範圍的角色會套用到角色指派。If you don't use the RecipientRelativeWriteScope parameter, the implicit read scope and implicit write scope of the role is applied to the role assignment.

  • 如果預先定義的範圍符合您的業務需求,您可以使用_RecipientRelativeWriteScope_參數,將套用至角色指派的範圍。If a predefined scope meets your business requirements, you can use the RecipientRelativeWriteScope parameter to apply the scope to the role assignment.

  • 若要套用自訂的收件者寫入範圍,請使用_CustomRecipientWriteScope_參數。To apply a custom recipient write scope, use the CustomRecipientWriteScope parameter.

本範例將「傳輸規則」管理角色指派給「西雅圖規範」角色群組。This example assigns the Transport Rules management role to the Seattle Compliance role group.

New-ManagementRoleAssignment -SecurityGroup "Seattle Compliance" -Role "Transport Rules"

本範例將「郵件追蹤」角色指派給「企業支援」角色群組,並套用「組織」預先定義的範圍。This example assigns the Message Tracking role to the Enterprise Support role group and applies the Organization predefined scope.

New-ManagementRoleAssignment -SecurityGroup "Enterprise Support" -Role "Message Tracking" -RecipientRelativeWriteScope Organization

本範例將「郵件追蹤」角色指派給「西雅圖收件者管理員」角色群組,並套用「西雅圖收件者」範圍。This example assigns the Message Tracking role to the Seattle Recipient Admins role group and applies the Seattle Recipients scope.

New-ManagementRoleAssignment -SecurityGroup "Seattle Recipient Admins" -Role "Message Tracking" -CustomRecipientWriteScope "Seattle Recipients"

如需詳細的語法及參數資訊,請參閱 New-ManagementRoleAssignmentFor detailed syntax and parameter information, see New-ManagementRoleAssignment.

使用 Exchange Online PowerShell 來從 (移除角色指派) 的角色群組中移除角色Use Exchange Online PowerShell to remove roles from role groups (remove role assignments)

若要移除角色的角色群組在 Exchange Online PowerShell,您可以移除_管理角色指派_可以使用下列語法:To remove roles from role groups in Exchange Online PowerShell, you remove management role assignments by using the following syntax:

Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" -Role "<Role Name>" -Delegating <$true | $false> | Remove-ManagementRoleAssignment
  • 若要移除權限授與使用者的_一般_角色指派,請使用值$false _Delegating_參數。To remove regular role assignments that grant permissions to users, use the value $false for the Delegating parameter.

  • 若要移除_委派_角色指派可讓角色指派給其他人,請使用值$true _Delegating_參數。To remove delegating role assignments that allow the role to be assigned to others, use the value $true for the Delegating parameter.

此範例會移除 「 西雅圖收件者系統管理員 」 角色群組中的通訊群組角色。This example removes the Distribution Groups role from the Seattle Recipient Administrators role group.

Get-ManagementRoleAssignment -RoleAssignee "Seattle Recipient Administrators" -Role "Distribution Groups" -Delegating $false | Remove-ManagementRoleAssignment

如需詳細的語法及參數資訊,請參閱 Remove-ManagementRoleAssignmentFor detailed syntax and parameter information, see Remove-ManagementRoleAssignment.

使用 Exchange Online PowerShell 來修改角色群組中的角色指派的範圍Use Exchange Online PowerShell to modify the scope of role assignments in role groups

在角色群組的角色指派的寫入範圍定義角色群組的成員可以操作的物件 (例如,所有使用者,或只將其 [縣/市] 屬性具有值為 Vancouver 的使用者)。The write scope of a role assignment in a role group defines the objects that the members of the role group can operate on (for example, all users, or only the users whose City property has the value Vancouver). 您可以修改指派給角色群組之角色的寫入範圍:You can modify the write scope of the roles assigned to a role group to:

  • 從角色本身隱含範圍。The implicit scope from the roles themselves. 這表示當您建立角色群組,或在現有角色群組的值設定的所有角色指派的值時,並未指定任何自訂範圍$nullThis means you didn't specify any custom scopes when you created the role group, or you set the value of all role assignments in an existing role group to the value $null.

  • 所有角色指派的相同自訂範圍。The same custom scope for all role assignments.

  • 針對每個個別角色指派的不同自訂範圍。Different custom scopes for each individual role assignment.

若要設定上的所有角色指派的角色群組上的範圍,在此同時,使用下列語法:To set the scope on all of the role assignments on a role group at the same time, use the following syntax:

Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Set-ManagementRoleAssignment [-CustomRecipientWriteScope "<Recipient Write Scope Name>"] [-RecipientRelativeScopeWriteScope <MyDistributionGroups | Organization | Self>] [-ExclusiveRecipientWriteScope "<Exclusive Recipient Write Scope name>"]

本範例會變更為 「 直接銷售員工銷售收件者管理角色群組上的所有角色指派的收件者範圍。This example changes the recipient scope for all role assignments on the Sales Recipient Management role group to Direct Sales Employees.

Get-ManagementRoleAssignment -RoleAssignee "Sales Recipient Management" | Set-ManagementRoleAssignment -CustomRecipientWriteScope "Direct Sales Employees"

若要變更的角色群組和管理角色之間個別角色指派的範圍,請執行下列步驟:To change the scope on an individual role assignment between a role group and a management role, do the following steps:

  1. 取代<角色群組名稱>執行下列命令以在角色群組上尋找所有角色指派的名稱與角色群組的名稱:Replace <Role Group Name> with the name of the role group and run the following command to find the names of all the role assignments on the role group:

    Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Format-List Name
    
  2. 找到您想要變更的角色指派的名稱。Find the name of the role assignment you want to change. 在下一個步驟中使用角色指派的名稱。Use the name of the role assignment in the next step.

  3. 若要在個別的角色指派上設定範圍,請使用下列語法:To set the scope on the individual role assignment, use the following syntax:

    Set-ManagementRoleAssignment -Identity "<Role Assignment Name"> [-CustomRecipientWriteScope "<Recipient Write Scope Name>"] [-RecipientRelativeScopeWriteScope <MyDistributionGroups | Organization | Self>] [-ExclusiveRecipientWriteScope "<Exclusive Recipient Write Scope name>"]
    

此範例會變更名為 「 所有銷售員工的郵件 _ 銷售收件者管理角色指派的收件者範圍。This example changes the recipient scope for the role assignment named Mail Recipients_Sales Recipient Management to All Sales Employees.

```
Set-ManagementRoleAssignment "Mail Recipients_Sales Recipient Management" -CustomRecipientWriteScope "All Sales Employees"
```

如需詳細的語法及參數資訊,請參閱 Set-ManagementRoleAssignmentFor detailed syntax and parameter information, see Set-ManagementRoleAssignment.

使用 Exchange Online PowerShell 修改委派角色群組中的清單Use Exchange Online PowerShell modify the list of delegates in role groups

角色群組代理人,定義誰可以修改及刪除角色群組。Role group delegates define who is allowed to modify and delete the role group. 您無法在 EAC 中的角色群組代理人來管理。You can't manage role group delegates in the EAC.

若要修改的角色群組中的委派清單,請使用下列語法:To modify the list of delegates in a role group, use the following syntax:

Set-RoleGroup -Identity "<Role Group Name>" -ManagedBy <Delegates>
  • 若要_取代_現有的委派與您指定的值清單使用下列語法: "Delegate1","Delegate2",..."DelegateN"To replace the existing list of delegates with the values you specify, use the following syntax: "Delegate1","Delegate2",..."DelegateN".

  • 若要_選擇性地修改_現有的委派清單,請使用下列語法: @{Add="Delegate1","Delegate2"...; Remove="Delegate3","Delegate4"...}To selectively modify the existing list of delegates, use the following syntax: @{Add="Delegate1","Delegate2"...; Remove="Delegate3","Delegate4"...}.

這則範例會將 「 服務台 」 角色群組的所有目前代理人取代指定的使用者。This example replaces all current delegates of the Help Desk role group with the specified users.

Set-RoleGroup -Identity "Help Desk" -ManagedBy "Gabriela Laureano","Hyun-Ae Rim","Jacob Berger"

本範例會新增 Daigoro Akai,並 Valeria Barrio 移除委派 「 服務台 」 角色群組上的清單。This example adds Daigoro Akai and removes Valeria Barrio from the list of delegates on the Help Desk role group.

Set-RoleGroup -Identity "Help Desk" -ManagedBy @{Add="Daigoro Akai"; Remove="Valeria Barrios"}

如需詳細的語法及參數資訊,請參閱 Set-RoleGroupFor detailed syntax and parameter information, see Set-RoleGroup.

使用 Exchange Online PowerShell 修改角色群組中的成員清單Use Exchange Online PowerShell modify the list of members in role groups

  • Add-rolegroupmemberRemove-rolegroupmember指令程式新增或移除個別成員一次。The Add-RoleGroupMember and Remove-RoleGroupMember cmdlets add or remove individual members one at a time. Update-rolegroupmember指令程式可以取代或修改現有的清單的成員。The Update-RoleGroupMember cmdlet can replace or modify the existing list of members.

  • 角色群組的成員可以是使用者、 萬用安全性群組 (Usg),或其他角色群組 (安全性主體)。The members of a role group can be users, universal security groups (USGs), or other role groups (security principals).

若要修改角色群組的成員,請使用下列語法:To modify the members of a role group, use the following syntax:

Update-RoleGroupMember -Identity "<Role Group Name>" -Members <Members> [-BypassSecurityGroupManagerCheck]
  • 若要_取代_現有的成員具有您指定的值清單使用下列語法: "Member1","Member2",..."MemberN"To replace the existing list of members with the values you specify, use the following syntax: "Member1","Member2",..."MemberN".

  • 若要_選擇性地修改_現有成員清單,請使用下列語法: @{Add="Member1","Member2"...; Remove="Member3","Member4"...}To selectively modify the existing list of members, use the following syntax: @{Add="Member1","Member2"...; Remove="Member3","Member4"...}.

這則範例會將目前的 「 服務台 」 角色群組的成員取代指定的使用者。This example replaces all current members of the Help Desk role group with the specified users.

Update-RoleGroupMember -Identity "Help Desk" -Members "Gabriela Laureano","Hyun-Ae Rim","Jacob Berger"

本範例會新增 Daigoro Akai,並 Valeria Barrio 移除 Help Desk 角色群組的成員清單。This example adds Daigoro Akai and removes Valeria Barrio from the list of members on the Help Desk role group.

Update-RoleGroupMember -Identity "Help Desk" -Members @{Add="Daigoro Akai"; Remove="Valeria Barrios"}

如需詳細的語法及參數資訊,請參閱Update-rolegroupmemberFor detailed syntax and parameter information, see Update-RoleGroupMember.

如何知道這是否正常運作?How do you know this worked?

若要確認您是否已成功修改角色群組,請依循下列步驟:To verify that you've successfully modified a role group, do any of the following steps:

  • 在 EAC 中,前往 [權限 > 系統管理員角色],選取新的角色群組建立,並確認在詳細資料窗格中的設定,或按一下 [編輯編輯圖示以驗證設定。In the EAC, go to Permissions > Admin Roles, select the new role group you created, and verify the settings in the Details pane or click Edit Edit icon to verify the settings.

  • 在 Exchange Online PowerShell 中取代<角色群組名稱>的角色群組,並執行下列命令來確認設定名稱:In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the following command to verify the settings:

    Get-RoleGroup -Identity "<Role Group Name>" | Format-List
    
  • 在 Exchange Online PowerShell 中取代<角色群組名稱>的角色群組,並執行下列命令來確認設定名稱:In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the following command to verify the settings:

    Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Format-Table *WriteScope
    

移除角色群組Remove role groups

您無法移除內建角色群組,但是您可以移除您已建立的自訂角色群組。You can't remove built-in role groups, but you can remove custom role groups that you've created.

附註Notes:

  • 當您移除角色群組時,會刪除角色群組和管理角色之間的管理角色指派。When you remove a role group, the management role assignments between the role group and the management roles are deleted. 任何管理角色指派給角色群組不會被刪除。Any management roles that are assigned to the role group aren't deleted.

  • 如果使用者依賴角色群組來存取某個功能,使用者將不再需要存取功能之後刪除角色群組。If a user depends on the role group for access to a feature, the user will no longer have access to the feature after you delete the role group.

使用 EAC 移除角色群組Use the EAC to remove a role group

  1. 在 EAC 中,前往 [權限 > 系統管理員角色In the EAC, go to Permissions > Admin Roles.

  2. 選取您想要移除,然後按一下 [刪除的角色群組刪除圖示Select the role group you want to remove and then click Delete Delete icon.

  3. 按一下 [ ] 在出現的確認視窗中。Click Yes in the confirmation window that appears.

使用 Exchange Online PowerShell 來移除角色群組Use Exchange Online PowerShell to remove a role group

若要移除的自訂角色群組,請使用下列語法:To remove a custom role group, use the following syntax:

Remove-RoleGroup -Identity "<Role Group Name>" [-BypassSecurityGroupManagerCheck]

本範例移除「訓練系統管理員」角色群組。This example removes the Training Administrators role group.

Remove-RoleGroup -Identity "Training Administrators"

本範例移除「溫哥華收件者系統管理員」角色群組。This example removes the Vancouver Recipient Administrators role group. 因為執行命令的使用者未定義中之角色群組的ManagedBy內容,在命令被必要的_BypassSecurityGroupManagerCheck_參數。Because the user running the command isn't defined in the ManagedBy property of the role group, the BypassSecurityGroupManagerCheck switch is required in the command. 會在執行命令的使用者,指派角色管理角色,讓使用者可以略過安全性群組管理員檢查。The user that's running the command is assigned the Role Management role, which enables the user to bypass the security group manager check.

Remove-RoleGroup - Identity "Vancouver Recipient Administrators" -BypassSecurityGroupManagerCheck

如需詳細的語法及參數資訊,請參閱 Remove-RoleGroupFor detailed syntax and parameter information, see Remove-RoleGroup.

如何知道這是否正常運作?How do you know this worked?

若要確認您是否已移除的角色群組,執行下列步驟:To verify that you've removed a role group, do either of the following steps:

  • 在 EAC 中,前往 [權限 > 系統管理員角色,並確認不再列出的角色群組。In the EAC, go to Permissions > Admin Roles and verify that the role group is no longer listed.

  • 在 Exchange Online PowerShell 中執行下列命令,以確認不再列出角色群組:In Exchange Online PowerShell, run the following command to verify the role group is no longer listed:

    Get-RoleGroup