Have you ever needed to change your Default Role Assignment Policy in Exchange 2010 through Exchange Management Shell?  An example of when you might want to do this is to prevent users from creating organizationally visible distribution lists through Outlook Web App.  Recently I realized that there may be a problem with the Set-RoleAssignmentPolicy command that can be used to set your users default role assignment policy.  Here is what was experienced.

[wp_ad_camp_1]

Set Exchange users to the Default Role Assignment Policy

As you can see by double-clicking on the image below the following powershell command was run and indicated that all users were set with the Default Role Assignment Policy. 

Set-RoleAssignmentPolicy “Default Role Assignment Policy” –IsDefault

policy1

Problem

My next step was to remove my unused role assignment policy through Powershell.

Remove-RoleAssignmentPolicy “Policy Name Here”

policy2

After executing the command; which you can see by clicking on the photo above, there are users still using the policy?  What?  The first command run above had applied the default policy to everyone.

Recommendation

Run the following PowerShell command to see which users still have the old role assignment policy before attempting to remove the unused policy.  You may want to run this command to validate that your Role Management Policies are also applied as expected.

Get-Mailbox –resultsize unlimited | where {$_RoleassignmentPolicy –Eq “Policy Name Here”}

Tip

Use ADSIEDIT to resolve the issue with the users that have the incorrect Role Assignment Policy.  This can be downloaded and installed from the following location.  http://technet.microsoft.com/en-us/library/ebca3324-5427-471a-bc19-9aa1decd3d40  Note that you will need Domain Administrator rights to Active Directory to do the next steps.

  1. Open ADSIEDIT and Connect to the Default Naming Context for your domain.
  2. Click into the structure to find the user with the incorrect role assignment policy.
  3. Right-click on the user and choose properties.
  4. Find the following attribute msExchRBACPolicyLink and set the path to the correct policy.  You may want to copy the full value from another user that is correctly set.
  5. Click Ok to apply the change.

policy3Once this is complete the unused policy can be removed through Exchange Management Shell with the following command.

Remove-RoleAssignmentPolicy “Policy Name Here”