Troubleshooting RBAC

(or determining RBAC Permissions)

  • Get-ManagementScope – displays defined scopes, or details of a individual scope.
  • Get-ManagementRole
    • GetChildren – enumerate roles of immediate children
    • Recurse – enumerate roles of children and the children of those roles
    • Cmdlet – enumerate roles include this specific cmdlet
    • CmdletParameters – enumerate roles include this specific parameter
    • RoleType
  • Get-ManagementRoleEntry – shows all the role entries in a Management role (Ex: Get-ManagementRoleentry “Recipient Policies\*”)
  • Get-RoleGroup – shows all the groups or if you specify one with –ID will give you details on that group
  • Get-RoleGroupMember – shows all the group’s members (ex: Get-RoleGroupMember “Organization Management”)
  • Get-RoleAssignmentPolicy – Shows the role assignment policies
  • Get-ManagementRoleAssignment
    • Examples: 
      • Get-ManagementRoleAssignment –Role “Organization Configuration” –GetEffectiveUser –Delegating $False | FL Name, RoleAssigneeName, EffectiveUserName, AssignmentChain (shows the users and groups that have Org Config RBAC permissions)
      • Get-ManagementRoleAssignment -WritableRecipient administrator –GetEffectiveUsers (shows the users that can make changes to administrator)

Note: As with all powershell commands you can use help cmdlet –examples to get more info (ex: help Get-ManagementRoleAssignment –Examples)


What version is my Exchange Server?

Have you run into an issue where you were asked what build of exchange you have and weren’t able to provide a quick answer? well now you can.


Here is the Microsoft Wiki that contains all the 2007-2010 version numbers.

For older versions


To find your build number just run this from powershell

Get-ExchangeServer |ft identity,*DisplayVersion

Disable TOE and RSS

These technologies are great if your environment support them end to end, but if not you may see some of the following issues.

Symptoms include

  • Sporadic Network issues.
  • Service failing (Because of network login issues)
  • Delay in service start (Because of network login issues)
  • Unexplained issues that Seem to be network related but other areas have already been investigated


Resolution: To keep it as simple and reliable as possible

  1. Update to latest drivers
  2. Disable Everything that says offload or scaling in the NIC properties
  3. Disable it for the OS as well


  • netsh interface tcp set global rss=disabled
  • netsh interface tcp set global chimney=disabled
  • netsh interface tcp set global autotuninglevel=disabled


  • Netsh int ip set chimney disabled

Random issue with Outlook 2003 accessing Exchange 2010.

Possible Symptom

  • Slow or hangs when accessing shared calendar or public folder information from outlook 2003
  • Delay in email
  • Errors
    • “Unable to open your default e-mail folders. The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server computer is down for maintenance.”
    • “Unable to expand the folder. The set of folders could not be opened.”


3 Possible causes

  1. RPC Throttling
    • Here is a very good article on it
    • In a nutshell you need to set a policy that will increase “RCAMaxConcurrency”
      • As a testing step run this:
        Get-ThrottlingPolicy | set-ThrottlingPolicy –RCAMaxConcurrency $null
      • If it does resolve the issue follow the article above to set a new policy correctly and revert the test setting
        Get-ThrottlingPolicy | set-ThrottlingPolicy -RCAMaxConcurrency 20
  2. UDP notification
    • Solution is to put the 2003 Outlook client in cached mode.
  3. Genuine network issues (here are some general tips)
    1. Check cabling
    2. Check Switch Logs
    3. Try to isolate client to server to eliminate network issues as a cause.
    4. Disable TOE and RSS on NICS
    5. Check that the NIC and the switches are running the same speed and duplex
    6. Use a sniffer to inspect traffic.