When did having an Exchange Admin account become obsolete?

etcs
etcs used Ask the Experts™
on
I am having a dispute within my company.  At one time (up through Exchange 2003 at least, I believe) it was necessary to have an Exchange Admin account (with the Exchange Full Administrator role) to perform certain tasks even for a small or medium business.  For example, when performing an Exchange migration from one server to another you might want to export mailboxes databases to PST files for later import back into a new Exchange server.  I believe there were other functions also where an Exchange Administrator or Full Administrator account were necessary even in a small  business and where a Domain Administrator account was insufficient.   (It may be true that in larger organizations Exchange Administrators are still necessary due to separation of duties on an IT staff.  But in a small business without any IT staff this is unlikely to be the case.)

I have been told that "at some point" in the past this ceased to be true and that Exchange Administrator accounts were no longer needed for such purposes (like Exchange migrations) because Microsoft made other tools available.   Therefore, the logic goes, we should delete or disable any Exchange Administrator accounts we or our small business clients still have in existence as they are not needed.

My question is if Exchange Administrator accounts are no longer routinely needed when EXACTLY did this become the case?  Did it happen when Exchange 2007 was introduced?  Or maybe Exchange 2010?  Or maybe at some other time when Microsoft introduced some additional tools to facilitate migrations?

Ideally I would like to be able to point to an official Microsoft publication (TechNet, blog article, whatever) as proof of the timeframe when Exchange Administrator accounts became not typically needed.

I am looking forward to some gurus being able to answer this question!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
The answer is oddly "it depends." And is a matter of perspective.

2007 was the major rewrite and was needed to enable powershell management  which MS was huge on during that Vista/2008 era.

But the path wasn't really solid (like many things from MS between 2006-2008) until exchange 2010. 2010 was the first official version to have RBAC baked in end to end instead of ad-hoc. And would be what most people consider the replacement.
Distinguished Expert 2018
Commented:
As for proof  Google exchange RBAC. Plenty there.
Kevin StanushApplication Developer

Commented:
What exactly do you mean by an "Exchange Administrator" account?  Active Directory accounts are assigned to groups, so there is the admin 'Domain Admins' group, and some operations require membership to the 'Enterprise Admins' group or the 'Organization Management' group.  These are builtin groups and I think when you install Exchange they will be assigned by default to the builtin administrator account, but can be granted to other accounts.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
This talks towards the topic here at MS https://technet.microsoft.com/en-us/library/dd351175(v=exchg.160).aspx and refers to exchange 2016, but may point to others

Author

Commented:
Kevin Stanush, My apologies.  By "Exchange Administrator" I meant an account which had been assigned the Exchange permissions associated with the "Exchange Administrator" or "Exchange Full Administrator" roles circa Exchange 2003 as described in this TechNet article:  https://technet.microsoft.com/en-us/library/aa998982(v=exchg.65).aspx
Jeff GloverSr. Systems Administrator

Commented:
Exchange uses Role Groups to control who can do what. True, you do not need a dedicated "Administrator Account" to accomplish things but you definitely need to be a member of a Role Group. Even an Enterprise or Domain Admin cannot do a lot with Exchange unless they are a member of a role group. Although a lot can be done with Powershell, attempting it without proper Role Group Membership will just get you a log of Red text.
  Role groups also give you flexibility since, if the default ones do not meet your needs, you can create custom one.. You can also assign individual permissions (such as import/export mailboxes) to users.

Author

Commented:
Thanks all.  Pretty clearly the transition to RBAC is what made the old fashioned Exchange Administrator or Exchange Full Administrator level of permissions obsolete and apparently that became fully baked in Exchange 2010.   I guess the only question remaining is at what point (if ever) the old roles of "Exchange Administrator" or "Exchange Full Administrator" permission levels were deprecated completely in favor of the new RBAC roles.   Anybody know that?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial