Home > Exchange > When is a Role Group not a Group of Roles?

When is a Role Group not a Group of Roles?

A Role Group in Exchange 2010 is a special type of object that allows easy delegation of duties via the RBAC architecture.
What if though, you had an exisiting AD group that you want to assign some delegation to? How could you incorporate that without duplicating it as a Role Group?
There is an answer. Well, actually, two 🙂
1) Easy solution: Add the existing AD group to a Role Group you have setup (or a default Role Group that Exchange installs for you).
This will show up just fine in the ECP, and you just manage the membership as usual through ADU&C.
2) You can actually assign roles directly to regular AD groups (as long as they are a) security groups, and b) Universal scope).
Use the following example:
New-ManagementRoleAssignement -Role "Mail Recipient Creation" -SecurityGroup "Your Universal Group"
This assigns the individual role(s) direct to AD group, without the need to create a whole new Role Group.
Well, almost….
Only snag is that it will not appear in the ECP (the normal place to see and manage RBAC Role Groups).
It’s not a Role Group.
It’s a group with roles.
Technically, Role Groups are groups, with roles assigned. But our group in the example is a bog-standard AD group only, with roles assigned.
Consequently, it does not appear in ECP in the ‘Administrator Roles’ area, as this only displays ‘Role Groups’.
OK then, to display what the role assignments are (as ECP cannot be guaranteed to display the whole picture now), use:
or more specifically if you like:
Get-ManagementRoleAssignment -Role "Mail Recipient Creation" |FL
So, in summary, Role Groups *are* the best way generally to assign roles (and hence workload Wink), but AD groups can also have roles assigned.
Categories: Exchange
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: