Pages

Search This Blog

Monday, July 9, 2012

RBAC mess after recovering my deleted Exchange 2010 security groups !!

Just after I recovered my accidently deleted Microsoft Exchange security groups , I noticed that for Exchange Management Console ( EMC ) and Exchange Management Shell ( EMS  ) the available to-be-performed tasks are not matched with my assigned Exchange role ( Organization Management ) , see below :

image

image

This indicates an issue with Role Based Access Control ( RBAC ) for default Exchange security groups , which I faced about two years ago with earlier Exchange 2010 test .

Here what to do , as instructed by David Strome on TechNet forums post :

  • Open Windows PowerShell (not the Exchange Management Shell)
    • If you have UAC enabled, right click Windows PowerShell and click Run as administrator.
  • Run Start-Transcript c:\RBAC.txt and press enter
    • This will start logging all commands and output you type to a text file.
  • Run Add-PSSnapin *setup and press enter
    • This adds the setup snap-in which contains the setup cmdlets used by Exchange during install. You may see errors about loading a format data file. You can ignore those errors.
      DO NOT run any other cmdlets in this snap-in without direction from Microsoft. Doing so could irreparably damage your Exchange installation.
  • Run Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose and press enter.
    • This cmdlet should create the required role assignments between the role groups and roles that should have been created during setup.
    • Be sure you run with the Verbose switch so we can capture what the cmdlet does.
  • Run Remove-PSSnapin *setup and press enter
  • Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos and press enter
    • Be sure to replace <FQDN of Exchange 2010 server> with the FQDN of your server.
  • Run Import-PSSession $Session and press enter
  • Run Get-ManagementRoleAssignment and press enter
  • Run Stop-Transcript and press enter

Here is my execution of these commands for my Exchange server without –Verbose for Install-CannedRbacRoleAssignments  command [ Just to conserve view ]

image

Just after that, I was able to see all available options as Organization Management administrator using EMC and also to execute cmdlets using EMS

image

image

This concludes all what you will need to do to restore your servers to there old state in case of Exchange 2010 security groups deletion while having neither a valid Active Directory Domain Services backup nor Active Directory recycle bin. Winking smile