If you like to Delegate Server and Recipient Management to a Site which has it’s own Exchange Server:
# create a management scope to restrict access to the server only
New-ManagementScope -Name "DELEGATED Servers" -ServerList SERVER1
#create a DELEGATED role group for server management
$RGS = Get-RoleGroup "Server Management"
New-RoleGroup "DELEGATED Server Management" -Roles $RGS.Roles -CustomConfigWriteScope "DELEGATED Servers"
-RecipientOrganizationalUnitScope "domain.local/NameOfOrganizationalUnit"
Add-RoleGroupMember "DELEGATED Server Management" -Member "delegated-exchange-g"
#create a DELEGATED role group for recipient management
$RGR = Get-RoleGroup "Recipient Management"
New-RoleGroup "DELEGATED Recipient Management" -Roles $RGR.Roles -CustomConfigWriteScope "DELEGATED Servers"
-RecipientOrganizationalUnitScope "domain.local/NameOfOrganizationalUnit"
Add-RoleGroupMember "DELEGATED Recipient Management" -Member "delegated-exchange-g"
# Remove the Recipient Policies Role to disallow policy changes
Get-ManagementRoleAssignment -RoleAssignee "DELEGATED Recipient Management" -Role "Recipient Policies"
-Delegating $false | Remove-ManagementRoleAssignment
New-ManagementRoleAssignment -Name "Recipient Policies-DELEGATED Recipient Management"
-SecurityGroup "DELEGATED Recipient Management" -Role "Recipient Policies" -CustomConfigWriteScope "DELEGATED Servers"
-RecipientOrganizationalUnitScope "domain.local/NameOfOrganizationalUnit"
# create a Mail Recipients Role and remove ability to administer the owamailboxpolicy
New-ManagementRole "DELEGATED Mail Recipients" -Parent "Mail Recipients"
Get-ManagementRoleEntry "DELEGATED Mail Recipients\*owa*" | Remove-ManagementRoleEntry -WhatIf
Get-ManagementRoleEntry "DELEGATED Mail Recipients\*owa*" | Remove-ManagementRoleEntry
# Remove the Mail Recipients Role to disallow owamailboxpolicy changes
Get-ManagementRoleAssignment -RoleAssignee "DELEGATED Recipient Management" -Role "Mail Recipients"
-Delegating $false | Remove-ManagementRoleAssignment
New-ManagementRoleAssignment -Name "Mail Recipients-DELEGATED Recipient Management"
-SecurityGroup "DELEGATED Recipient Management" -Role "DELEGATED Mail Recipients" -CustomConfigWriteScope "DELEGATED Servers"
-RecipientOrganizationalUnitScope "domain.local/NameOfOrganizationalUnit"