You need to create an exclusion for two helpdesk RBAC (Role Based Access Control) groups to not have
access to managers.
You will need to pick 3 powershell commands from the available choices

A.
New-ManagementRole, New-ManagementScope,Set-ManagementScope (Guessed)

B.
New-ManagementScope, RecipientRestrictionFilter ,New-ManagementRoleAssignment (Guessed)

C.
New-ManagementScope, New-ManagementRoleAssignment, CustomRecipientWriteScope (Guessed)

D.
Unsure of commands and correct answer

Explanation:
Only chose C as Microsoft recommends that you:
define the scope,
then the role,
then the role group, and finally,
the role assignment.
However it appears that the custom scope with a recipient filter has to be created in order to filter the scope for
the 2 helpdesk role based access groups.
The scope, role, and role group assignments are linked by the role assignment itself.
Microsoft recommends that you first define the scope, then the role, then the role group, and, finally, the role
assignment.

Management Role Scope
Management role scopes enable you to define the specific scope of impact or influence of a management role
when a management role assignment is created.
When you apply a scope, the role assignee assigned to the role can only modify the objects contained within
that scope.
A role assignee can be a management role group, management role, management role assignment policy,
user, or universal security group (USG). For more information about management roles, see Understanding
Role Based Access Control.
Every management role, whether it’s a built-in role or a custom role, has management scopes. Management
scopes can be either of the following:
Regular A regular scope isn’t exclusive. It determines where, in Active Directory, objects can be viewed or
modified by users assigned the management role. In general, a management role indicates what you can
create or modify, and a management role scope indicates where you can create or modify. Regular scopes can
be either implicit or explicit scopes, both of which are discussed later in this topic.
Exclusive An exclusive scope behaves almost the same as a regular scope. The key difference is that it
enables you to deny users access to objects contained within the exclusive scope if those users aren’t assigned
a role associated with the exclusive scope. All exclusive scopes are explicit scopes, which are discussed later
in this topic.
Scopes can be inherited from the management role, specified as a predefined relative scope on a management
role assignment, or created using custom filters and added to a management role assignment. Scopes
inherited from management roles are called implicit scopes while predefined and custom scopes are called
explicit scopes. The following sections describe each type of scope:
Implicit Scopes
Explicit Scopes
Predefined Relative Scopes
Custom Scopes
Recipient Filter Scopes
Configuration Scopes
Each role can have the following types of scopes:
Recipient read scope The implicit recipient read scope determines what recipient objects the user assigned
the management role is allowed to read from Active Directory.Recipient write scope The implicit recipient write scope determines what recipient objects the user assigned
the management role is allowed to modify in Active Directory.
Configuration read scope The implicit configuration read scope determines what configuration objects the user
assigned the management role is allowed to read from Active Directory.
Configuration write scope The implicit configuration write scope determines what organizational, database,
and server objects the user assigned the management role is allowed to modify in Active Directory.
Recipient objects include mailboxes, distribution groups, mail enabled users, and other objects. Configuration
objects include servers running Microsoft Exchange Server 2013, and databases located on servers running
Exchange. Each type of scope can be either an implicit scope or explicit scope.
Role Based Access Control Groups
Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2013. With
RBAC, you don’t need to modify and manage access control lists (ACLs), which was done in Exchange Server
2007.
ACLs created several challenges in Exchange 2007, such as modifying ACLs without causing unintended
consequences, maintaining ACL modifications through upgrades, and troubleshooting problems that occurred
due to using ACLs in a nonstandard way.
RBAC enables you to control, at both broad and granular levels, what administrators and end-users can do.
RBAC also enables you to more closely align the roles you assign users and administrators to the actual roles
they hold within your organization. In Exchange 2007, the server permissions model applied only to the
administrators who managed the Exchange 2007 infrastructure. In Exchange 2013, RBAC now controls both
the administrative tasks that can be performed and the extent to which users can now administer their own
mailbox and distribution groups.
RBAC has two primary ways of assigning permissions to users in your organization, depending on whether the
user is an administrator or specialist user, or an end-user: management role groups and management role
assignment policies.
Each method associates users with the permissions they need to perform their jobs. A third, more advanced
method, direct user role assignment, can also be used

Built-in Role Groups
Microsoft Exchange Server 2013 includes several management role groups by default.
The following built-in role groups provide you with a preconfigured set of roles that you can assign to various
administrator and specialist users in your organization.
Organization Management
View-Only Organization Management
Recipient Management
UM Management
Help Desk
Hygiene Management
Compliance Management
Records Management
Discovery Management
Public Folder Management
Server Management
Delegated Setup
How to use –Exclude switch in Remove-Item cmdlet in PowerShell
today i was trying to remove some junk folders and files in a specific folder. But i don’t want to remove all of file
and folder, i want to keep few folders. Then i think that i should use the –Exclude switch with Remove-Item
Cmdlet.
I tried to use –Exclude switch but somehow i failed to get it working because i don’t know the exact patter used
by –Exclude switch. After few minutes of testing i get it done and i thought i should share this tip with you.
$Lenovo = “D:\\P-Temp\\Lenovo\\*”
Remove-Item -Recurse -Path $Lenovo -Exclude system,temp,updates.ser,”*.xml” -Verbose –Force
In $Lenovo variable i specified the folder path in which I want to remove the items
I want to Exclude folder name “System”,”temp” and file name “updates.ser” and all .XML Files
in -Exclude switch give the folder name which you don’t want to delete, no need to put the in a double quotes “”in folder name . You can provide multiple folder name separated by comma.
in pattern matching make sure you put the wild cards in double quotes “”.
POWERSHELL COMMMANDS
New-ManagementScope (Example)
http://technet.microsoft.com/en-us/library/dd335137(v=exchg.150).aspx
EXAMPLE 4
This example creates the Protected Exec Users exclusive scope. Users that contain the string “VP” in their title
match the recipient filter for the scope. When the exclusive scope is created, all users are immediately blocked
from modifying the recipients that match the exclusive scope until the scope is associated with a management
role assignment. If other role assignments are associated with other exclusive scopes that match the same
recipients, those assignments can still modify the recipients.
New-ManagementScope -Name “Protected Exec Users” -RecipientRestrictionFilter { Title -Like “*VP*” } –
Exclusive
New-ManagementRoleAssignment
The exclusive scope is then associated with a management role assignment that assigns the Mail Recipients
management role to the Executive Administrators role group. This role group contains administrators who are
allowed to modify the mailboxes of high-profile executives. Only the administrators of the Executive
Administrators role group can modify users with the string “VP” in their title.
New-ManagementRoleAssignment -SecurityGroup “Executive Administrators” -Role “Mail Recipients” –
CustomRecipientWriteScope “Protected Exec Users”
This example assigns the Eng Help Desk role to the Eng HD Personnel role group. The assignment restricts
the recipient write scope of the role to the contoso.com/Engineering/Users OU. Users who are members of the
Eng HD Personnel role group can only create, modify, or remove objects contained within that OU.
New-ManagementRoleAssignment -Role “Eng Help Desk” -SecurityGroup “Eng HD Personnel” –
RecipientOrganizationalUnitScope contoso.com/Engineering/Users
New-ManagementRole
Use the New-ManagementRole cmdlet to create a management role based on an existing role or create an
unscoped management role.
EXAMPLE 1
This example creates the management role Redmond Journaling View-Only based on the Journaling parent
role.
New-ManagementRole -Name “Redmond Journaling View-Only” -Parent Journaling
New-RoleGroup
Use the New-RoleGroup cmdlet to create a management role group on a server running Microsoft Exchange
Server 2013.
EXAMPLE 1
This example creates a role group. The Mail Recipients and Mail Enabled Public Folders roles are assigned to
the role group, and the users Kim and Martin are added as members. Because no scopes were provided, Kim
and Martin can manage any recipient and reset passwords for any users in the organization.
New-RoleGroup -Name “Limited Recipient Management” -Roles “Mail Recipients”, “Mail Enabled Public
Folders” -Members Kim, Martin
Look here:
Understanding Management Role Scopes
http://technet.microsoft.com/en-us/library/dd335146(v=exchg.150).aspx
As we need to set deny access we want to set explicit recipcient filter scope for the existing helpdesk group,
removing the managers from the scope. Then create a new RBAC group and implicit scope the managers
mailboxes. So my guess would be something like
New-ManagementRole -Name “Management role for CEO”New-ManagementScope -Name “Management Scope for CEO” -RecipientRestrictionFilter { Title -Like
“*CEO*” } -Exclusive
Set-ManagementScope “Helpdesk Users” -RecipientRestrictionFilter { Company -eq ‘Contoso users’ -and
Function -like ‘CEO’
As we do not know what RBAC setup already exists, this kind of smells like Microsoft, but hey this is a start.