etcs
asked on
When did having an Exchange Admin account become obsolete?
I am having a dispute within my company. At one time (up through Exchange 2003 at least, I believe) it was necessary to have an Exchange Admin account (with the Exchange Full Administrator role) to perform certain tasks even for a small or medium business. For example, when performing an Exchange migration from one server to another you might want to export mailboxes databases to PST files for later import back into a new Exchange server. I believe there were other functions also where an Exchange Administrator or Full Administrator account were necessary even in a small business and where a Domain Administrator account was insufficient. (It may be true that in larger organizations Exchange Administrators are still necessary due to separation of duties on an IT staff. But in a small business without any IT staff this is unlikely to be the case.)
I have been told that "at some point" in the past this ceased to be true and that Exchange Administrator accounts were no longer needed for such purposes (like Exchange migrations) because Microsoft made other tools available. Therefore, the logic goes, we should delete or disable any Exchange Administrator accounts we or our small business clients still have in existence as they are not needed.
My question is if Exchange Administrator accounts are no longer routinely needed when EXACTLY did this become the case? Did it happen when Exchange 2007 was introduced? Or maybe Exchange 2010? Or maybe at some other time when Microsoft introduced some additional tools to facilitate migrations?
Ideally I would like to be able to point to an official Microsoft publication (TechNet, blog article, whatever) as proof of the timeframe when Exchange Administrator accounts became not typically needed.
I am looking forward to some gurus being able to answer this question!
I have been told that "at some point" in the past this ceased to be true and that Exchange Administrator accounts were no longer needed for such purposes (like Exchange migrations) because Microsoft made other tools available. Therefore, the logic goes, we should delete or disable any Exchange Administrator accounts we or our small business clients still have in existence as they are not needed.
My question is if Exchange Administrator accounts are no longer routinely needed when EXACTLY did this become the case? Did it happen when Exchange 2007 was introduced? Or maybe Exchange 2010? Or maybe at some other time when Microsoft introduced some additional tools to facilitate migrations?
Ideally I would like to be able to point to an official Microsoft publication (TechNet, blog article, whatever) as proof of the timeframe when Exchange Administrator accounts became not typically needed.
I am looking forward to some gurus being able to answer this question!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Kevin Stanush
What exactly do you mean by an "Exchange Administrator" account? Active Directory accounts are assigned to groups, so there is the admin 'Domain Admins' group, and some operations require membership to the 'Enterprise Admins' group or the 'Organization Management' group. These are builtin groups and I think when you install Exchange they will be assigned by default to the builtin administrator account, but can be granted to other accounts.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Kevin Stanush, My apologies. By "Exchange Administrator" I meant an account which had been assigned the Exchange permissions associated with the "Exchange Administrator" or "Exchange Full Administrator" roles circa Exchange 2003 as described in this TechNet article: https://technet.microsoft.com/en-us/library/aa998982(v=exchg.65).aspx
Exchange uses Role Groups to control who can do what. True, you do not need a dedicated "Administrator Account" to accomplish things but you definitely need to be a member of a Role Group. Even an Enterprise or Domain Admin cannot do a lot with Exchange unless they are a member of a role group. Although a lot can be done with Powershell, attempting it without proper Role Group Membership will just get you a log of Red text.
Role groups also give you flexibility since, if the default ones do not meet your needs, you can create custom one.. You can also assign individual permissions (such as import/export mailboxes) to users.
Role groups also give you flexibility since, if the default ones do not meet your needs, you can create custom one.. You can also assign individual permissions (such as import/export mailboxes) to users.
ASKER
Thanks all. Pretty clearly the transition to RBAC is what made the old fashioned Exchange Administrator or Exchange Full Administrator level of permissions obsolete and apparently that became fully baked in Exchange 2010. I guess the only question remaining is at what point (if ever) the old roles of "Exchange Administrator" or "Exchange Full Administrator" permission levels were deprecated completely in favor of the new RBAC roles. Anybody know that?