<img height="1" width="1" src="https://www.facebook.com/tr?id=1529264867168163&amp;ev=PageView &amp;noscript=1">
blog_listing_hero_img.jpg

Issue With Assigning Exchange 2010 Role-Assignment Policies

Have you ever needed to change your Default Role Assignment Policy in Exchange 2010 through Exchange Management Shell?  An example of when you might want to do this is to prevent users from creating organizationally visible distribution lists through Outlook Web App.  Recently I realized that there may be a problem with the Set-RoleAssignmentPolicy command that can be used to set your users default role assignment policy.  Here is what was experienced.

Set Exchange users to the Default Role Assignment Policy

As you can see by double-clicking on the image below the following powershell command was run and indicated that all users were set with the Default Role Assignment Policy.  

Set-RoleAssignmentPolicy "Default Role Assignment Policy" –IsDefault

TM12.31.13.1

Problem

My next step was to remove my unused role assignment policy through Exchange Management Shell. 

Remove-RoleAssignmentPolicy “Policy Name Here”

TM12.31.2013 resized 600

After executing the command; which you can see by clicking on the photo above, there are users still using the policy?  What?  The first command run above had applied the default policy to everyone.

Recommendation

Run the following PowerShell command to see which users still have the old role assignment policy before attempting to remove the unused policy.  You may want to run this command to validate that your Role Management Policies are also applied as expected.

Get-Mailbox –resultsize unlimited | where {$_RoleassignmentPolicy –Eq “Policy Name Here”}

Tip

Use ADSIEDIT to resolve the issue with the users that have the incorrect Role Assignment Policy.  This can be downloaded and installed from the following location.  http://technet.microsoft.com/en-us/library/ebca3324-5427-471a-bc19-9aa1decd3d40  Note that you will need Domain Administrator rights to Active Directory to do the next steps.

  1. Open ADSIEDIT and Connect to the Default Naming Context for your domain.
  2. Click into the structure to find the user with the incorrect role assignment policy.
  3. Right-click on the user and choose properties.
  4. Find the following attribute msExchRBACPolicyLink and set the path to the correct policy.  You may want to copy the full value from another user that is correctly set.
  5. Click Ok to apply the change.

TM12.31.3 resized 600

Once this is complete the unused policy can be removed through Exchange Management Shell with the following command.

Remove-RoleAssignmentPolicy "Policy Name Here"

So, when using the Set-RoleAssignment Exchange Management Shell Command be sure to double-check your work as this article describes to ensure that your Role-Assignment Policies are accurately set across all of the users in your organization.

Related Articles: My Users Can Create Distribution Lists?