Monday, May 3, 2021

Resetting Broken Default Exchange RBAC

I had a customer who needed re-created the default Exchange Groups under the "Microsoft Exchange Security Groups" organisational unit.  This was done as someone had moved these groups to another location (not supported) and the support engineer was unable to move the groups back to the original location due to an error.

Moving the default groups results in you being unable to:

  • Install new Exchange Servers into the organisation
  • Perform Cumulative Updates
  • Perform Recover Server installations
After recreating the groups, all AssignedRoles were stripped off the default Role Groups.

The server is fully functional, however administrators are unable to administer Exchange.

The only way we were able to access Exchange with administration access was to add the Exchange Snap-in from an administrative PowerShell.

add-pssnapin *exch*

To re-store the default Role Based Access Control objects to factory install, use the following commands from an administrative command prompt.

Add-Pssnapin *Setup*

Install-CannedRbacRoleAssignments –InvocationMode Install –Verbose

 Install-CannedRbacRoles  -Verbose

 Install-CannedRbacRoleAssignmentsRAP  -Verbose


This will restore access so administrators can access Exchange Admin Center and Exchange Management Shell.