Today I was trying to help one of my customers to grant the local support team the permission to reset the password for end users.
The main idea was to add a new role "reset password" to the help desk team.
But we keep hitting the exception
”You don't have access to create, change, or remove the "Reset Password - Support" management role assignment. You must be assigned a delegating role assignment to the management role or its parent in the hierarchy without a scope restriction.”
After some investigations I found that the default management role assignment “reset password” is missing
That wasn’t the same behavior on my exchange 2013 RTM or CU1 Lab.
Checking further I found that he is running exchange 2013 CU1 upgraded from exchange 2013 RTM.
If you installed exchange 2013 CU1 directly or later version you won’t see this issue.
Touching any default RBAC settings is not something easy, as a matter of fact you can’t do that while you are running normal PowerShell remote session.
The solution which is not supported as you can imagine is to add the pssnapin for exchange 2010 and bypass the RBAC and create the management role assignment manually.
Add-pssnapin *New-ManagementRoleAssignment -Role "reset password” –SecurityGroup “support team” -Name "Reset Password – Delegate” –Delegating