Create a regular or exclusive scope
Applies to: Exchange Server 2013
Management role scopes determine what objects are made available to a user so that the objects can be changed using the cmdlets and parameters assigned to them. By adding a management scope, you can configure management role assignments so users can administer specific servers, databases, recipients, and other objects in your organization while being restricted from changing other objects.
Important
When you create a regular or exclusive scope, you override the write scope that's defined on the management role you're assigning. You can't override the read scope that's configured on the management role.
You can create a custom management scope and add or change a management role assignment. If you want to create a management role assignment with a prebuilt or organizational unit (OU) management scope, see Add a role to a user or USG.
For more information about management role scopes and assignments in Microsoft Exchange Server 2013, see the following topics:
Looking for other management tasks related to scopes? Check out Advanced permissions.
What do you need to know before you begin?
Estimated time to complete each procedure: 5 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Management scopes" entry in the Role management permissions topic.
You must use the Shell to perform these procedures.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
Step 1: Create a custom scope
To create a custom scope, choose one of the following types of scopes.
Recipient filter scope
Recipient filter-based scopes are created by using the RecipientRestrictionFilter parameter on the New-ManagementScope cmdlet. When you create a recipient filter, in addition to the recipient properties to filter, you can specify the OU in which the filter query runs. When you specify a base OU, you further restrict the write scope of the role.
For more information about management scope filters, see Understanding management role scope filters.
Use the following syntax to create a domain restriction filter scope with a base OU.
New-ManagementScope -Name <scope name> -RecipientRestrictionFilter <filter query> [-RecipientRoot <OU>]
This example creates a scope that includes all mailboxes within the contoso.com/Sales OU.
New-ManagementScope -Name "Mailboxes in Sales OU" -RecipientRestrictionFilter "RecipientType -eq 'UserMailbox'" -RecipientRoot "contoso.com/Sales OU"
Note
You can omit the RecipientRoot parameter if you want the filter to apply to the entire implicit read scope of the management role and not just within a specific OU.
For detailed syntax and parameter information, see New-ManagementScope.
Server filter configuration scope
Server filter-based configuration scopes are created by using the ServerRestrictionFilter parameter on the New-ManagementScope cmdlet. A server filter enables you to create a scope that applies only to the servers that match the filter you specify.
For more information about management scope filters and for a list of filterable server properties, see Understanding management role scope filters.
Use the following syntax to create a server filter scope.
New-ManagementScope -Name <scope name> -ServerRestrictionFilter <filter query>
This example creates a scope that includes all the servers within the 'CN=Redmond,CN=Sites,CN=Configuration,DC=contoso,DC=com' AD (Active Directory) site.
New-ManagementScope -Name "Servers in Seattle AD site" -ServerRestrictionFilter "ServerSite -eq 'CN=Redmond,CN=Sites,CN=Configuration,DC=contoso,DC=com'"
For detailed syntax and parameter information, see New-ManagementScope.
Server list configuration scope
Server list-based configuration scopes are created by using the ServerList parameter on the New-ManagementScope cmdlet. A server list scope enables you to create a scope that applies only to the servers you specify in a list.
Use the following syntax to create a server list scope.
New-ManagementScope -Name <scope name> -ServerList <server 1>, <server 2...>
This example creates a scope that applies only to MBX1, MBX3, and MBX5.
New-ManagementScope -Name "Mailbox servers" -ServerList MBX1,MBX3,MBX5
For detailed syntax and parameter information, see New-ManagementScope.
Database filter configuration scope
Database filter-based configuration scopes are created by using the DatabaseRestrictionFilter parameter on the New-ManagementScope cmdlet. A database filter enables you to create a scope that applies only to the databases that match the filter you specify.
Important
Role assignments associated with database scopes are applied only to users who connect to servers running Microsoft Exchange Server 2010 Service Pack 1 (SP1) or later or Exchange 2013. If a user assigned a role assignment associated with a database scope connects to a pre-Exchange 2010 SP1 server, the role assignment isn't applied to the user, and the user won't be granted any permissions provided by the role assignment.
For more information about management scope filters and for a list of filterable database properties, see Understanding management role scope filters.
Use the following syntax to create a database restriction filter.
New-ManagementScope -Name <scope name> -DatabaseRestrictionFilter <filter query>
This example creates a scope that includes all the databases that contain the string "Executive" in the Name property of the database.
New-ManagementScope -Name "Executive Databases" -DatabaseRestrictionFilter "Name -Like '*Executive*'"
For detailed syntax and parameter information, see New-ManagementScope.
Database list configuration scope
Database list-based configuration scopes are created by using the DatabaseList parameter on the New-ManagementScope cmdlet. A database list scope enables you to create a scope that applies only to the databases you specify in a list.
Important
Role assignments associated with database scopes are applied only to users who connect to servers running Microsoft Exchange Server 2010 Service Pack 1 (SP1) or later or Exchange 2013. If a user assigned a role assignment associated with a database scope connects to a pre-Exchange 2010 SP1 server, the role assignment isn't applied to the user, and the user won't be granted any permissions provided by the role assignment.
Use the following syntax to create a database list scope.
New-ManagementScope -Name <scope name> -DatabaseList <database 1>, <database 2...>
This example creates a scope that applies only to the databases Database 1, Database 2, and Database 3.
New-ManagementScope -Name "Primary databases" -DatabaseList "Database 1", "Database 2", "Database 3"
For detailed syntax and parameter information, see New-ManagementScope.
Exclusive scope
Any scope that you create with the New-ManagementScope cmdlet can be designated as an exclusive scope. To create an exclusive scope, you use the same commands in one of the preceding sections to create a recipient filter-based scope, server filter-based scope, server list-based scope, database filter-based scope, or database list-based scope, and then add the Exclusive switch to the command.
Warning
When you create exclusive management scopes, only the role assignees assigned exclusive scopes that contain objects to be modified can access those objects. Only those administrators assigned a role with the exclusive scope can access these exclusive, or protected, objects.
This example creates an exclusive recipient filter-based scope that matches any user in the Executives department.
New-ManagementScope "Executive Users Exclusive Scope" -RecipientRestrictionFilter "Department -Eq 'Executives'" -Exclusive
By default, when an exclusive scope is created, you're required to acknowledge that you created an exclusive scope and that you're aware of the impact that an exclusive scope has on existing role assignments that aren't exclusive. If you want to suppress the warning, you can use the Force switch. This example creates the same scope as the previous example, but without a warning.
New-ManagementScope "Executive Users Exclusive Scope" -RecipientRestrictionFilter "Department -Eq 'Executives'" -Exclusive -Force
For detailed syntax and parameter information, see New-ManagementScope.
Step 2: Add or change a management role assignment
After you create the scope, you must add it to a new or existing management role assignment.
If you create a management scope and want to add it to a new management role assignment that you're going to create, see the following topics:
If you create a management role scope and want to add it to an existing management role assignment, see the following topics: