Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.
When did having an Exchange Admin account become obsolete?
I am having a dispute within my company. At one time (up through Exchange 2003 at least, I believe) it was necessary to have an Exchange Admin account (with the Exchange Full Administrator role) to perform certain tasks even for a small or medium business. For example, when performing an Exchange migration from one server to another you might want to export mailboxes databases to PST files for later import back into a new Exchange server. I believe there were other functions also where an Exchange Administrator or Full Administrator account were necessary even in a small business and where a Domain Administrator account was insufficient. (It may be true that in larger organizations Exchange Administrators are still necessary due to separation of duties on an IT staff. But in a small business without any IT staff this is unlikely to be the case.)
I have been told that "at some point" in the past this ceased to be true and that Exchange Administrator accounts were no longer needed for such purposes (like Exchange migrations) because Microsoft made other tools available. Therefore, the logic goes, we should delete or disable any Exchange Administrator accounts we or our small business clients still have in existence as they are not needed.
My question is if Exchange Administrator accounts are no longer routinely needed when EXACTLY did this become the case? Did it happen when Exchange 2007 was introduced? Or maybe Exchange 2010? Or maybe at some other time when Microsoft introduced some additional tools to facilitate migrations?
Ideally I would like to be able to point to an official Microsoft publication (TechNet, blog article, whatever) as proof of the timeframe when Exchange Administrator accounts became not typically needed.
I am looking forward to some gurus being able to answer this question!
I have been told that "at some point" in the past this ceased to be true and that Exchange Administrator accounts were no longer needed for such purposes (like Exchange migrations) because Microsoft made other tools available. Therefore, the logic goes, we should delete or disable any Exchange Administrator accounts we or our small business clients still have in existence as they are not needed.
My question is if Exchange Administrator accounts are no longer routinely needed when EXACTLY did this become the case? Did it happen when Exchange 2007 was introduced? Or maybe Exchange 2010? Or maybe at some other time when Microsoft introduced some additional tools to facilitate migrations?
Ideally I would like to be able to point to an official Microsoft publication (TechNet, blog article, whatever) as proof of the timeframe when Exchange Administrator accounts became not typically needed.
I am looking forward to some gurus being able to answer this question!
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
What exactly do you mean by an "Exchange Administrator" account? Active Directory accounts are assigned to groups, so there is the admin 'Domain Admins' group, and some operations require membership to the 'Enterprise Admins' group or the 'Organization Management' group. These are builtin groups and I think when you install Exchange they will be assigned by default to the builtin administrator account, but can be granted to other accounts.
This talks towards the topic here at MS https://technet.microsoft.
Kevin Stanush, My apologies. By "Exchange Administrator" I meant an account which had been assigned the Exchange permissions associated with the "Exchange Administrator" or "Exchange Full Administrator" roles circa Exchange 2003 as described in this TechNet article: https://technet.microsoft.com/en-us/library/aa998982(v=exchg.65).aspx
Exchange uses Role Groups to control who can do what. True, you do not need a dedicated "Administrator Account" to accomplish things but you definitely need to be a member of a Role Group. Even an Enterprise or Domain Admin cannot do a lot with Exchange unless they are a member of a role group. Although a lot can be done with Powershell, attempting it without proper Role Group Membership will just get you a log of Red text.
Role groups also give you flexibility since, if the default ones do not meet your needs, you can create custom one.. You can also assign individual permissions (such as import/export mailboxes) to users.
Role groups also give you flexibility since, if the default ones do not meet your needs, you can create custom one.. You can also assign individual permissions (such as import/export mailboxes) to users.
Thanks all. Pretty clearly the transition to RBAC is what made the old fashioned Exchange Administrator or Exchange Full Administrator level of permissions obsolete and apparently that became fully baked in Exchange 2010. I guess the only question remaining is at what point (if ever) the old roles of "Exchange Administrator" or "Exchange Full Administrator" permission levels were deprecated completely in favor of the new RBAC roles. Anybody know that?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Outlook 2007 Ba… 238 lessons
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - PowerPoint 2010… 203 lessons
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
2007 was the major rewrite and was needed to enable powershell management which MS was huge on during that Vista/2008 era.
But the path wasn't really solid (like many things from MS between 2006-2008) until exchange 2010. 2010 was the first official version to have RBAC baked in end to end instead of ad-hoc. And would be what most people consider the replacement.