I had a client who, while was working to better lock down and delegate Exchange administrative access, accidentally changed the write scope for the Organization Management Role.  The change was not noticed until later, when it began affecting normal admin tasks.  By then, nobody could remember what had been changed, which makes it difficult to change it back.  There is no ‘Restore Default’ option in this case.

The first step was to determine what had been changed.  The Administrator Roles menu in the Exchange Control Panel still listed the Organization Management role, however opening the role to adjust the setting gave us this error:

“Roles were assigned to this role group using multiple write scopes or exclusive write scopes. Therefore, you can’t view the write scope or manage the assigned roles here.”

The ECP was not helpful, and RBAC cannot be managed in the EMC so I had to turn to the shell.  Expanding the role group using Get-RoleGroup “Organization Management” | Format-List did not give me any useful information.  I was able to dump the information I need to a CSV using the Get-ManagementRoleAssignment cmdlet:

Get-ManagementRoleAssignment -RoleAssignee “Organization Management” | export-csv c:\download\scripts\output\Get-MgmtRA-OrgMgmt.csv

A quick review and sort of the CSV identified the role assignments to which the custom recipient write scope had been applied, as shown in this excerpt from the spreadsheet.

Now that I knew which Role Assignments had been modified, I could set them back to the default Organization setting by using the Set-ManagementRoleAssignment cmdlet for each assignment:

Set-ManagementRoleAssignment “UM Prompts-Organization Management” -RecipientRelativeWriteScope Organization

Once each role assignment had been set back to the default of Organization, the role could be managed in the ECP again, and the admin issues we were experiencing were resolved.