List the Roles that Include a Specific Cmdlet

Role-Based Access Control (RBAC) is one of the cool new features included in Microsoft Lync Server 2010. RBAC gives you fine-grained control over the delegation of administrative rights; you do this by creating a universal security group in Active Directory, configuring that group as an RBAC role, then assigning cmdlets to the role. Users who are members of that security group are allowed to run only the cmdlets assigned to the corresponding RBAC role; all other cmdlets are off limits.


Note. Well, now that we think about it, you may be right: that’s probably not the best explanation of RBAC that’s ever been written. If you’re looking for the best explanation of RBAC that’s ever been written – well, to tell you the truth, we don’t know where you can find the best explanation of RBAC that’s ever been written. But a reasonably good explanation can be found in the article A Brief Introduction to RBAC.

Pretty neat, huh? Now, suppose you have a cmdlet like New-CsArchivingPolicy and you’d like to know which RBAC roles that particular cmdlet has been assigned to. Which roles have been assigned the New-CsArchivingPolicy cmdlet?

To be perfectly honest, we have no idea: hard as this might be to believe, we haven’t bothered to memorize all the RBAC roles and all the cmdlets that have been assigned to each of those roles. But, in our defense, we don’t have to memorize that information. After all, if we ever need to know which roles a given cmdlet has been assigned to we can just run the following script:

$x = $args[0]
Get-CsAdminRole | Where-Object {$_.Cmdlets -contains $x} | Select-Object Identity

Yes, that is pretty simple, isn’t it? All we’re doing here is running the script and passing it the name of a cmdlet. We then use Get-CsAdminRole to return any roles where the Cmdlets property includes (-contains) the specified cmdlet. Assuming we saved this script as C:ScriptsGet-Roles.ps1 all we need to do is run a command similar to this:

C:ScriptsGet-Roles.ps1 “New-CsArchivingPolicy”

That’s all there is to it.

P.S. If the suspense is killing you, here are the RBAC roles that have been assigned the cmdlet New-CsArchivingPolicy:



Comments (1)
  1. fred says:


    Get-CsAdminRole | Where-Object {$_.Cmdlets -contains $x} | Select-Object Identity returns empty

    I changed to Get-CsAdminRole | Where-Object {$_.Cmdlets -match $x} | Select-Object Identity instead and it works fine

Comments are closed.

Skip to main content