Hi
I'm busy studying towards Exchange 2013 and I am in the section learning RBAC etc. so in the book it gives the example below:
New-ManagementRoleAssignment –Role 'Unscoped Role Management' –SecurityGroup 'Exchange Admins' and then this command &
New-ManagementRole –Name 'Exchange Admin Scripts' –UnscopedTopLevel, which you can't execute as the Unscoped Management Role isn't a member of the role I belong to which happens to be the Organization Management role, so I add it the new role gets created. Nice.
Now it gets a little confusing as to what happened next, but I think I started getting these errors in the EMC when looking at the Organization Management role,"You can't copy this role group here, because it contains roles that were assigned using multiple write scopes or exclusive write scopes."
So I deleted the ADUG "Exchange Admins" fom AD - I know I shouldn't have done that!!!
I then found this command which I ran "Get-ManagementRoleAssignment -Identity '*Application-Organization Management' | Remove-ManagementRoleAssignment" which apears to have removed all the roles from the Organization
management role and allowed me to add them back. But I wasn't watching and I added the same damn role back and I am now stuck with the following roles in the Organization management role:
Active Directory Permissions
Address Lists
Audit Logs
Cmdlet Extension Agents
Data Loss Prevention
Database Availability Groups
Database Copies
Databases
Disaster Recovery
Distribution Groups
Edge Subscriptions
E-Mail Address Policies
Exchange Admin Scripts
Exchange Connectors
Exchange Server Certificates
Role Management
I can no longer administer my exchange and I can't remove the "Exchange Admin Scripts" role
When running the get-managementrole cmd, I can see the role, below:
Exchange Admin Scripts
UnScoped
When running the get-managementroleassignment, I can see the error below:
UnScoped Role Management-Ex... UnScoped Role Manag... SecurityGroup
Direct All Group Members
WARNING: The object UnScoped Role Management-Exchange Admins has been corrupted, and it's in an inconsistent state. The following validation errors happened:
WARNING: The management role assignment UnScoped Role Management-Exchange Admins isn't associated with a role group, assignment policy, user, or universal security group. The role group, assignment policy, user, or USG might have been deleted. Use the Remove-ManagementRoleAssignment
cmdlet to remove this role assignment.
These are the results of the remove commands:
[PS] C:\Windows\system32>Remove-ManagementRoleAssignment "Unscoped Role Management"
The operation couldn't be performed because object 'Unscoped Role Management' couldn't be found on 'DC01.E13.local'. Verify the name of the
management role assignment and try again. You can retrieve the name of the role assignment using the Get-ManagementRoleAssignment cmdlet.
+ CategoryInfo : NotSpecified: (:) [Remove-ManagementRoleAssignment], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : B9A86A38,Microsoft.Exchange.Management.RbacTasks.RemoveManagementRoleAssignment
+ PSComputerName : exch01.e13.local
[PS] C:\Windows\system32>Remove-ManagementRole 'Exchange admin scripts'
The precanned management role "Exchange admin scripts" can't be removed.
+ CategoryInfo : InvalidOperation: (Exchange Admin Scripts:ADObjectId) [Remove-ManagementRole], InvalidOperationException
+ FullyQualifiedErrorId : 52BAF806,Microsoft.Exchange.Management.RbacTasks.RemoveManagementRole
+ PSComputerName : exch01.e13.local
Any help would REALLY be appreciated. thanks a lot