I have about 25 administrative user where I need to add a new role and assign it a specific scope. In my testing I have been able to get a list of users and assign it a new role, however when the role is added it gets a role-up of all the different scopes assigned to the user. When adding a role using the Add-CMSecurityRoleToAdministrativeUser cmdlet, is their a way to specify which scopes to add instead of receiving a role up of all scopes. 

In a similar fashion, is their a way to use the Remove-CMSecurityScopeFromAdministrativeUser cmdlet and specify a specific role to remove the scope from instead of purging it from the entire user.

My beta code is below.

$adminUsers = get-cmadministrativeuser | where {$_.logonname -like "*metricstesting*"} 

ForEach ($adminUser in $adminUsers) {

Add-CMSecurityRoleToAdministrativeUser -AdministrativeUserName "$($adminUser.logonname)" -RoleName "+Custom+ Operating System Deployment User"

}

-Tony

• Edited by Tony Chirillo 13 hours 45 minutes ago

That wont work either. I am trying to remove a scope from only certain roles a user has. The only thing I have been able to do so far is remove it from the all roles, I can't seem to get as granular as I need it to be.