You need to create an exclusion for two helpdesk RBAC (Role Based Access Control) groups to not
have access to managers. You will need to pick 3 powershell commands from the available choices

A.
New-ManagementRole, New-ManagementScope,Set-ManagementScope (Guessed)

B.
New-ManagementScope, RecipientRestrictionFilter ,New-ManagementRoleAssignment (Guessed)

C.
New-ManagementScope, New-ManagementRoleAssignment, CustomRecipientWriteScope
(Guessed)

D.
Unsure of commands and correct answer

Explanation:
COURTESY OF DNS53 FROM UNITED STATES AND OCEAN FROM UNITED STATES
Management Role Scope
Management role scopes enable you to define the specific scope of impact or influence of a
management role when a management role assignment is created.
When you apply a scope, the role assignee assigned to the role can only modify the objects
contained within that scope.
A role assignee can be a management role group, management role, management role assignment
policy, user, or universal security group (USG). For more information about management roles, see
Understanding Role Based Access Control.
Every management role, whether it’s a built-in role or a custom role, has management scopes.
Management scopes can be either of the following:
Regular A regular scope isn’t exclusive. It determines where, in Active Directory, objects can be
viewed or modified by users assigned the management role. In general, a management role
indicates what you can create or modify, and a management role scope indicates where you can
create or modify. Regular scopes can be either implicit or explicit scopes, both of which are
discussed later in this topic. Exclusive An exclusive scope behaves almost the same as a regular
scope. The key difference is that it enables you to deny users access to objects contained within the
exclusive scope if those users aren’t assigned a role associated with the exclusive scope. All exclusive
scopes are explicit scopes, which are discussed later in this topic.
Scopes can be inherited from the management role, specified as a predefined relative scope on a
management role assignment, or created using custom filters and added to a management role
assignment.
Scopes inherited from management roles are called implicit scopes while predefined and custom
scopes are called explicit scopes. The following sections describe each type of scope:

Implicit Scopes
Explicit Scopes
Predefined Relative Scopes
Custom Scopes
Recipient Filter Scopes
Configuration Scopes
Each role can have the following types of scopes:
Recipient read scope The implicit recipient read scope determines what recipient objects the user
assigned the management role is allowed to read from Active Directory.
Recipient write scope The implicit recipient write scope determines what recipient objects the user
assigned the management role is allowed to modify in Active Directory.
Configuration read scope The implicit configuration read scope determines what configuration
objects the user assigned the management role is allowed to read from Active Directory.
Configuration write scope The implicit configuration write scope determines what organizational,
database, and server objects the user assigned the management role is allowed to modify in Active
Directory.
Recipient objects include mailboxes, distribution groups, mail enabled users, and other objects.
Configuration objects include servers running Microsoft Exchange Server 2013, and databases
located on servers running Exchange. Each type of scope can be either an implicit scope or explicit
scope.
Role Based Access Control Groups
Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2013.
With RBAC, you don’t need to modify and manage access control lists (ACLs), which was done in
Exchange Server 2007.
ACLs created several challenges in Exchange 2007, such as modifying ACLs without causing
unintended consequences, maintaining ACL modifications through upgrades, and troubleshooting
problems that occurred due to using ACLs in a nonstandard way.
RBAC enables you to control, at both broad and granular levels, what administrators and end-users
can do.
RBAC also enables you to more closely align the roles you assign users and administrators to the
actual roles they hold within your organization. In Exchange 2007, the server permissions model
applied only to the administrators who managed the Exchange 2007 infrastructure. In Exchange
2013, RBAC now controls both the administrative tasks that can be performed and the extent to
which users can now administer their own mailbox and distribution groups.
RBAC has two primary ways of assigning permissions to users in your organization, depending on
whether the user is an administrator or specialist user, or an end-user: management role groups and
management role assignment policies.
Each method associates users with the permissions they need to perform their jobs. A third, more
advanced method, direct user role assignment, can also be used

Built-in Role Groups
Microsoft Exchange Server 2013 includes several management role groups by default.
The following built-in role groups provide you with a preconfigured set of roles that you can assign
to various administrator and specialist users in your organization.
Organization Management
View-Only Organization Management
Recipient Management
UM Management
Help Desk
Hygiene Management
Compliance Management
Records Management

Discovery Management
Public Folder Management
Server Management
Delegated Setup
How to use –Exclude switch in Remove-Item cmdlet in PowerShell today i was trying to remove
some junk folders and files in a specific folder. But i don’t want to remove all of file and folder , i
want to keep few folders. Then i think that i should use the –Exclude switch with Remove-Item
Cmdlet.
I tried to use –Exclude switch but somehow i failed to get it working because i don’t know the exact
patter used by –Exclude switch. After few minutes of testing i get it done and i thought i should
share this tip with you.
$Lenovo = “D:\P-Temp\Lenovo\*”
Remove-Item -Recurse -Path $Lenovo -Exclude system,temp,updates.ser,”*.xml” -Verbose –Force
In $Lenovo variable i specified the folder path in which I want to remove the items
I want to Exclude folder name “System”,”temp” and file name “updates.ser” and all .XML Files
in -Exclude switch give the folder name which you don’t want to delete, no need to put the in a
double quotes “” in folder name . You can provide multiple folder name separated by comma.
in pattern matching make sure you put the wild cards in double quotes “”.
New-ManagementScope (Example)
http://technet.microsoft.com/en-us/library/dd335137(v=exchg.150).aspx
EXAMPLE 4
This example creates the Protected Exec Users exclusive scope. Users that contain the string “VP” in
their title match the recipient filter for the scope. When the exclusive scope is created, all users are
immediately blocked from modifying the recipients that match the exclusive scope until the scope is
associated with a management role assignment. If other role assignments are associated with other
exclusive scopes that match the same recipients, those assignments can still modify the recipients.
New-ManagementScope -Name “Protected Exec Users” -RecipientRestrictionFilter { Title -Like
“*VP*” } –
Exclusive
The exclusive scope is then associated with a management role assignment that assigns the Mail
Recipients management role to the Executive Administrators role group. This role group contains
administrators who are allowed to modify the mailboxes of high-profile executives. Only the
administrators of the Executive Administrators role group can modify users with the string “VP” in
their title.
New-ManagementRoleAssignment -SecurityGroup “Executive Administrators” -Role “Mail
Recipients” –
CustomRecipientWriteScope “Protected Exec Users”
FORUM 70-341
Ocean from Netherlands – Aug 11 2013, 3:21 PM Report Spam
Hi DNS53
As for the question
You need to create an exclusion for two helpdesk RBAC groups to not have access to managers.

You will need to pick 3 powershell commands from the available choices
Look here:
Understanding Management Role Scopes
http://technet.microsoft.com/en-us/library/dd335146(v=exchg.150).aspx

As we need to set deny access we want to set explicit recipcient filter scope for the existing helpdesk
group, removing the managers from the scope. Then create a new RBAC group and implicit scope
the managers mailboxes. So my guess would be something like
New-ManagementRole -Name “Management role for CEO”
New-ManagementScope -Name “Management Scope for CEO” -RecipientRestrictionFilter {Title -Like
“*CEO*”} -Exclusive
Set-ManagementScope “Helpdesk Users” -RecipientRestrictionFilter { Company -eq ‘Contoso users’ –
and
Function -like ‘CEO’
As we do not know what RBAC setup already exists, this kind of smells like Microsoft, but hey this is
a start.
New-ManagementRole
Use the New-ManagementRoleAssignment cmdlet to assign a management role to a management
role group, management role assignment policy, user, or universal security group (USG).
EXAMPLE 1
This example assigns the Mail Recipients role to the Tier 2 Help Desk role group.
New-ManagementRoleAssignment -Role “Mail Recipients” -SecurityGroup “Tier 2 Help Desk”