Will this be fixed with a future release/roll-up ?

In those 3 steps, you never removed the old role from the default assignment policy.  Wouldn't you first have to create the new RBAC Role, remove the commands, remove the old role from the default asssignment policy, and then add the new role to the default assignment policy?

Or is it because you have a new role that is a child with less commands, it overides the old role?

RBAC is confusing as hell.

Boyfromcork,

Technially there is nothing broken here.  With the way that RBAC works and the desire to not turn functionality on for people that don't currently have it on, this is operating as designed.

Yes ... the experience could be better I won't argue with that, and we will see what we can do for SP1 but for now it is actually operting very well given the design of RBAC.

Iamme,

We can't remove the old role.  It is one of the default roles in RBAC and cannot be deleted.  The old role is not applying because we didn't create a role assignment for it.  As long as the "My Distribution Groups" box is unchecked in the ECP there is no role assignment linking the Default Role (old role) and the Default Policy.

I recommend that you read my post on RBAC and the Triangle of Power.  I will clear up how RBAC works and will make this article make more sense.

http://msexchangeteam.com/archive/2009/11/16/453222.aspx

-Matt

Oh I get it.  I forgot you left the old role unchecked.  Now when you created the new role, you did assign that so that applies, but not the old one.  Got it, thanks!

Thanks for this....really helped me out! But if I want to make it som that the owner of a distribution group also can create distribution groups within the group he already owns...is it possible. I don't want to give him the permissions to create distribution groups in general.