On Get-Group cmdlet query technet article states, To run the Get-Group cmdlet,the account you use must be delegated the following : Exchange View-Only Administrator role http://technet.microsoft.com/en-us/library/aa996594(EXCH.80).aspx I can run this cmdlet logged in as a normal domain user without any administrator role (or any permissions applied),it returned groups. Am I missing a point We have a requirement where we need to deny specefic users to get any results running Get-Group. Please suggest how this can be done.

Hi Shireesh1, Sure, the user must has the role viewonlyadmin, and could use the cmdlet "get-group". You could confirm it using below script: get-exchangeadministrator |? {$_.role -like "viewonlyadmin"} Regards! Gavin

Thanks Gavin, But I remember I could even execute the cmdlet with a user ID that was not a viewonlydmin.The issue cropped up again today when one of the user wanted to get Actuvesync device statistics for users who are not part of viewonlyadmins. The Get-Mailbox cmdlet retrieves the attributes and objects for a mailbox. No parameters are required. If the cmdlet is used without a parameter, all mailboxes in the organization are listed. To run the Get-Mailbox cmdlet, the account you use must be delegated the following: Exchange View-Only Administrator role http://technet.microsoft.com/en-us/library/bb123685%28EXCHG.80%29.aspx The user running this cmdlet is not 'viewonlyadmin' I confirmed this using get-exchangeadministrator |? {$_.role -like "viewonlyadmin"} Ideally if the user does not have a the viewonlyadmin role,he should not be able to execute this cmdlet or get the information returned. Regards,