Mailbox Access Auditing In Exchange 2007 SP2…

by Rajith Jose Enchiparambil on September 7, 2009

Pin It

One of the new features that service pack 2 of Exchange 2007 server brings is the ability to audit mailbox access. Now that the second service pack has been deployed in most production environments, I though it will be good to explain the steps to enable it, how to get the audited info & how to change the default settings. There are no new tabs or options which will catch your attention to enable mailbox access auditing within the EMC. Enabling this feature is bundled into “Managing Diagnostic Logging Properties” wizard. Check my previous article.

Access Auditing is controlled by diagnostic categories for Exchange Information Store (MSExchangeIS). We cannot use this feature to audit message deletions, only access is possible. Following are the four actions on which auditing is possible.

  • Folder Access – Lets you log events that correspond to opening folders, such as the Inbox, Outbox, or Sent Items folders.
  • Message Access – Lets you log events that correspond to explicitly opening messages.
  • Extended Send As – Lets you log events that correspond to sending a message as a mailbox-enabled user.
  • Extended Send On Behalf Of – Lets you log events that correspond to sending a message on behalf of a mailbox-enabled user.

How To Enable Mailbox Access Auditing?

Launch EMC & navigate to Server Configuration -> Mailbox. Select your mailbox server, right click & select “Manage Diagnostic Logging Properties”. Drill down to MSExchangeIS -> 9000 Private.

Auditing Enable

Expand the tree to see all the options & you will find the four options mentioned above.

Auditing Parameters

Increase the logging level, depending upon the level of information you need & click Configure. That’s it!

How To Access The Audited Info?

Now that mailbox access auditing is enabled, we need to be able to get the information logged. SP2 creates a separate area for logging information related to mailbox access & it is named Exchange Auditing. Navigate to Event Viewer -> Applications & Services Log -> Exchange Auditing.

Auditing

How To Change The Default Properties?

By default, the location for storing the the logs is in the exchange server installation directory, DriveProgram FilesMicrosoftExchange ServerLoggingAuditLogs to be precise. The default behaviour is to archive the logs when it gets full. Hence, the location of the logs should be changed to a drive that has enough free space. You can achieve this by selecting the properties of Exchange Audting & changing the options.

Auditing Properties

What About Service Accounts?

Any organization will have service accounts which have full access to the mailboxes, like accounts used to run backups. As this type of accounts will be used on a daily basis, we don’t need information about these accounts to fill up our mailbox access log. To overcome this issue, SP2 extends the schema with a new right named “Bypass Auditing”. Run the following command to exclude service accounts from being audited.

Get-MailboxDatabase –identity “serversgdbname” | Add-ADPermission –User “service account” –ExtendedRights ms-Exch-Store-Bypass-Access-Auditing –InheritanceType All

SUBSCRIBE FOR DAILY ARTICLE UPDATES VIA EMAIL
Get the published articles delivered straight to your inbox. Your details will not be passed to any third party company.

Exchange Architect, Blogger, Husband & Dad. I have been in IT for the last 11 years, with Exchange Server becoming the prime area in the last few years. I am active on TechNet forums & Experts Exchange.

View all contributions by

  • How To Find Which Store Worker Process Is Responsible For A Mailbox Database In Exchange 2013

    Exchange 2013 has a new store named the Managed Store. In order to provide failure isolation in the database level in 2013, Microsoft has introduced two new processes as part of the managed store concept. First is the Store Worker Process(Microsoft.Exchange.Store.Worker.Exe) which does the same job that store.exe handled in previous versions. The only difference [...]

    Read More

  • Upload GAL Photos Using Exchange 2013 OWA Options (ECP)

    The “self service” option in OWA 2013 (ECP) has been enhanced with the option for uploading GAL photo by the end user. In Exchange 2010 ECP, end users were able to edit their contact details, address etc depending on the role assignment policy. In Exchange 2013 ECP ( OWA –> Options), the end user can [...]

    Read More

  • OWA 2013 Virtual Directory Displays The OWA Version As Exchange 2010

    A bug or typo in the code? While browsing the EAC, I noticed that the OWA virtual directory displays that the OWA Version as Exchange 2010 & not 2013. This happens in an Exchange 2013 only environment. The Shell displays the same info. MS, Is it a bug in the code or a typo?

    Read More

  • 2 Million Hits & 2.67 Million Page Views

    Yes, HowExchangeWorks has had 2 Million Hits & 2.67 Million page views so far! I take this opportunity to thank all my readers for your continuous support. I couldn’t have done this without you guys.

    Read More

  • Exchange 2013 Server Role Requirements Calculator v5.1

    Exchange Team has finally released the first public version of the 2013 Server Role Requirements Calculator. The name has been changed as the calculator now makes recommendations for both the Mailbox and CAS roles. If anyone out there is still confused, this is the 2013 equivalent of the 2010 Storage Calculator. The look and feel [...]

    Read More

10 comments… add one

  • Anonymous January 17, 2010 at 12:14 am

    Excellent Article. Quick quesiton: is there any way to get the Low Level logon event to go to this new log vs the Application log?

    Thanks,
    Dennis

    Reply edit

  • Anonymous April 6, 2010 at 8:18 am

    Nice article.

    However, the threat is on the higher side when a privileged user uses a service account to login. So it is highly recommented to enable auditing for service accounts too.

    Thanks/Peter

    Reply edit

  • Anonymous April 8, 2010 at 4:24 pm

    Hi,

    After applying your procedure, I still have Exchange Auditing Event log empty, is this normal ?

    Thanks

    Reply edit

  • Anonymous April 21, 2010 at 8:28 pm

    Does this mean that a local administrator on the server can be logged too? I have an Exchange Server 2007 "Illinois" which is part of AD. I can logon to the server using Local Admin account. I should be able to log that a Local Admin was accessing the mailbox of another user.

    Reply edit

  • Shahin May 8, 2010 at 7:10 pm

    What about the same for Exchange 2010. All these are missing fom the MSExchangeIS of Exchange 2010.

    Reply edit

  • Johnston, Kevin February 2, 2011 at 1:24 pm

    You must restart the Information Store service every time you change auditing log levels or your logs may be empty.

    Reply edit

  • Rajith Jose Enchiparambil February 2, 2011 at 1:33 pm

    Thanks Kevin

    Reply edit

  • Anonymous May 17, 2011 at 2:48 pm

    i have restarted the exchange server several times but it didn't want to log the events. and suddenly it logged all. when i open the calendar, contact folder or inbox folder… i don't know why. may be i have all the machines on VMs and they don't have enough memory…

    Reply edit

  • Rajith Jose Enchiparambil May 17, 2011 at 4:44 pm

    You have enabled logging and it didn't log for a while? Is that the issue?

    Reply edit

  • Dave Harbourne May 23, 2012 at 8:09 am

    Good post! just wondering does anyone know if this or any other exchange monitoring tool can monitor calendar deletions. I need to track who and when and from what device a calendar item got removed.
    thanks

    Reply edit

Speak Your Mind…

Website Hits