One of the new features that service pack 2 of Exchange 2007 server brings is the ability to audit mailbox access. Now that the second service pack has been deployed in most production environments, I though it will be good to explain the steps to enable it, how to get the audited info & how to change the default settings. There are no new tabs or options which will catch your attention to enable mailbox access auditing within the EMC. Enabling this feature is bundled into “Managing Diagnostic Logging Properties” wizard. Check my previous article.
Access Auditing is controlled by diagnostic categories for Exchange Information Store (MSExchangeIS). We cannot use this feature to audit message deletions, only access is possible. Following are the four actions on which auditing is possible.
- Folder Access – Lets you log events that correspond to opening folders, such as the Inbox, Outbox, or Sent Items folders.
- Message Access – Lets you log events that correspond to explicitly opening messages.
- Extended Send As – Lets you log events that correspond to sending a message as a mailbox-enabled user.
- Extended Send On Behalf Of – Lets you log events that correspond to sending a message on behalf of a mailbox-enabled user.
How To Enable Mailbox Access Auditing?
Launch EMC & navigate to Server Configuration -> Mailbox. Select your mailbox server, right click & select “Manage Diagnostic Logging Properties”. Drill down to MSExchangeIS -> 9000 Private.
Expand the tree to see all the options & you will find the four options mentioned above.
Increase the logging level, depending upon the level of information you need & click Configure. That’s it!
How To Access The Audited Info?
Now that mailbox access auditing is enabled, we need to be able to get the information logged. SP2 creates a separate area for logging information related to mailbox access & it is named Exchange Auditing. Navigate to Event Viewer -> Applications & Services Log -> Exchange Auditing.
How To Change The Default Properties?
By default, the location for storing the the logs is in the exchange server installation directory, DriveProgram FilesMicrosoftExchange ServerLoggingAuditLogs to be precise. The default behaviour is to archive the logs when it gets full. Hence, the location of the logs should be changed to a drive that has enough free space. You can achieve this by selecting the properties of Exchange Audting & changing the options.
What About Service Accounts?
Any organization will have service accounts which have full access to the mailboxes, like accounts used to run backups. As this type of accounts will be used on a daily basis, we don’t need information about these accounts to fill up our mailbox access log. To overcome this issue, SP2 extends the schema with a new right named “Bypass Auditing”. Run the following command to exclude service accounts from being audited.
Get-MailboxDatabase –identity “serversgdbname” | Add-ADPermission –User “service account” –ExtendedRights ms-Exch-Store-Bypass-Access-Auditing –InheritanceType All