以一例说明:

创建一个管理员角色,使其只有创建邮箱没有删除邮箱的权限


  1. 创建管理员角色 

C:\Windows\system32> New-ManagementRole -Name "IT Operator" -Parent "Mail Recipient Creation"

 创建"IT Operator"角色继承"Mail Recipient Creation"的所有权限


2. 删除角色中的权限项

 C:\Windows\system32>Remove-ManagementRoleEntry  "IT Operator\Remove-Mailbox"

 删除角色"IT Operator"删除邮箱的权限


如何查看一个角色拥有哪些权限项呢?

 

C:\Windows\system32>Get-ManagementRoleEntry  -Identity "IT Operator\*"

如下所示:

  

[PS] C:\Windows\system32>Get-ManagementRoleEntry  -Identity "IT Operator\*"

Name                           Role                      Parameters
----                           ----                      ----------
Disable-PushNotificationProxy  IT Operator               {Confirm, Debug, ErrorAction, ErrorVariable, OutBuffer, Out...
Enable-PushNotificationProxy   IT Operator               {Debug, ErrorAction, ErrorVariable, Organization, OutBuffer...
Get-ADServerSettings           IT Operator               {Debug, ErrorAction, ErrorVariable, OutBuffer, OutVariable,...
Get-ActiveSyncMailboxPolicy    IT Operator               {Debug, DomainController, ErrorAction, ErrorVariable, Ident...
Get-AddressBookPolicy          IT Operator               {Debug, DomainController, ErrorAction, ErrorVariable, Ident...
Get-DomainController           IT Operator               {Credential, Debug, DomainName, ErrorAction, ErrorVariable,...
Get-MailContact                IT Operator               {Anr, Credential, Debug, DomainController, ErrorAction, Err...
Get-MailUser                   IT Operator               {Anr, Credential, Debug, DomainController, ErrorAction, Err...
Get-Mailbox                    IT Operator               {Anr, Arbitration, Archive, Credential, Database, Debug, Do...
Get-MailboxDatabase            IT Operator               {Debug, DomainController, DumpsterStatistics, ErrorAction, ...
Get-ManagedFolderMailboxPolicy IT Operator               {Debug, DomainController, ErrorAction, ErrorVariable, Ident...
Get-ManagementRoleAssignment   IT Operator               {AssignmentMethod, ConfigWriteScope, CustomConfigWriteScope...
Get-MobileDeviceMailboxPolicy  IT Operator               {Debug, DomainController, ErrorAction, ErrorVariable, Ident...
Get-OrganizationalUnit         IT Operator               {Debug, DomainController, ErrorAction, ErrorVariable, Ident...
Get-Recipient                  IT Operator               {Anr, BookmarkDisplayName, Database, ErrorAction, ErrorVari...
Get-RemoteMailbox              IT Operator               {Anr, Credential, Debug, DomainController, ErrorAction, Err...
Get-ResourceConfig             IT Operator               {Debug, DomainController, ErrorAction, ErrorVariable, Ident...
Get-RoleAssignmentPolicy       IT Operator               {Debug, DomainController, ErrorAction, ErrorVariable, Ident...
Get-SharingPolicy              IT Operator               {Debug, DomainController, ErrorAction, ErrorVariable, Ident...
Get-ThrottlingPolicy           IT Operator               {Debug, DomainController, ErrorAction, ErrorVariable, Expli...
Get-ThrottlingPolicyAssocia... IT Operator               {Anr, Debug, DomainController, ErrorAction, ErrorVariable, ...
Get-Trust                      IT Operator               {Debug, DomainName, ErrorAction, ErrorVariable, OutBuffer, ...
Get-User                       IT Operator               {Anr, Arbitration, Credential, Debug, DomainController, Err...
Get-UserPrincipalNamesSuffix   IT Operator               {Debug, ErrorAction, ErrorVariable, OrganizationalUnit, Out...
New-MailContact                IT Operator               {Alias, ArbitrationMailbox, Confirm, Debug, DisplayName, Do...
New-MailUser                   IT Operator               {Alias, ArbitrationMailbox, Confirm, Debug, DisplayName, Do...
New-Mailbox                    IT Operator               {AccountDisabled, ActiveSyncMailboxPolicy, AddressBookPolic...
New-RemoteMailbox              IT Operator               {AccountDisabled, Alias, Archive, Confirm, Debug, DisplayNa...
Remove-MailContact             IT Operator               {Confirm, Debug, DomainController, ErrorAction, ErrorVariab...
Remove-MailUser                IT Operator               {Confirm, Debug, DomainController, ErrorAction, ErrorVariab...
Remove-PushNotificationSubs... IT Operator               {Confirm, Debug, ErrorAction, ErrorVariable, Force, Mailbox...
Remove-RemoteMailbox           IT Operator               {Confirm, Debug, DomainController, ErrorAction, ErrorVariab...
Set-ADServerSettings           IT Operator               {ConfigurationDomainController, Confirm, Debug, ErrorAction...
Set-MailboxFolderPermission    IT Operator               {Acce***ights, Confirm, Debug, DomainController, ErrorActio...
Write-AdminAuditLog            IT Operator               {Comment, Confirm, Debug, DomainController, ErrorAction, Er...



这样就可以灵活创建管理员角色了.