User with Recipient Management Role cannot assign retention policy - grayed out

We are running Exchange 2013 CU5. I added a couple of our helpdesk personnel to the Recipient Management Admin Role so they could add new users. However, they cannot assign the Retention Policy - it's grayed out.

According to this article: https://technet.microsoft.com/en-us/library/dd638205(v=exchg.150).aspx they should be able to do this. I don't believe any of the default admin roles have been customized.

Anyone have an ide

March 10th, 2015 11:11am

are they part of records management group ?
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2015 11:18am

No, they are not part of Records Management role. I do not want them to be able to create or edit the actual retention policies. They should only be able to add and configure new user accounts.
March 10th, 2015 11:26am

For applying retention policy they need to part of records management role.

You can copy the record management role and retain only the permission to set the retention policy option and remove rest of the cmdlets.

add the recipient administrators to this role group. 

they should be able to apply retention policy.

Free Windows Admin Tool Kit Click here and download it now
March 11th, 2015 4:40am

That sounds like the way to accomplish what I want. I'm working on figuring out how to remove cmdlets from a management role.
March 11th, 2015 12:06pm

Get-ManagementRoleEntry  -Identity "rolename\*" | Where-Object {$_.Name -ne 'command name'} | Remove-ManagementRoleEntry
  • Proposed as answer by Vishwanath.S 15 hours 13 minutes ago
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2015 12:08pm

Thanks for the quick reply! Sorry, but I'm not super-fluent in PS (yet). So I tested your PS command by changing "Remove-ManagementRoleEntry" to "ft" so that it would simply list results. This showed me that it would remove all Cmdlets from the Retention Management role. (I also finally figured out that ManagementRoleEntries=Cmdlets.)

I'm glad I didn't just run it as is, because a quick check showed that the Retention Management role is also contained in the Organization Management Admin Role Group. If I had just gone ahead and run that command it would have affected members of Org Management, and I would have disabled everyone's ability to manage retention policies!

For the benefit of those who are looking to solve the same problem, here is what I did:

EAC - Created a copy of the Records Management Admin group - named it "Copy of Records Management"
PS - Created a copy of the Retention Management role - name it "AssignRetentionPolicy"
EAC - Added AssignRetentionPolicy role to Copy of Records Management admin role group
EAC - Removed all other roles from Copy of Records Management admin role group
PS - Removed all other cmdlets from AssignRetentionPolicy role - I left all of the Get cmdlets, and the Set-Mailbox cmdlet, and I removed all the others. Set-Mailbox is the cmdlet used to assign the retention policy to a mailbox - I probably could have left only this command in the role.
EAC - Added users to the Copy of Records Management Admin Group. Now when they add or edit a mailbox account, the Retention Policy field will be available.

You could also simply edit the default Recipient Management Admin Role group, and add the newly-created AssignRetentionPolicy role. (I think default admin groups allow adding roles, but not deleting them.) Then you would not need the "Copy of Records Management" Admin Group. I prefer to do it the first way, since it leaves the default groups unchanged.

I did some of it in the EAC, and some using PS. I did use Vishwanath's command as a starting point, which was a big help.

Vishwanath, thanks for your help!

March 11th, 2015 3:28pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics