Exchange 2010 SP1 Mailbox Access Auditing Part III

  In this article we’ll continue to study mailbox access auditing for delegate access. I’ll set up auditing for MovedToDeletedItems and SoftDelete actions and try to find the corresponding information in the audit logs.
For instance, I want to know when a message is deleted from User2’s mailbox while User2’s mailbox is open by User1. Let’s repeat all necessary steps described in Part I from the beginning:
1) In Exchange Management Console we give User1 Full Access permission on User2’s mailbox:
2) …then turn on mailbox access auditing for User2’s mailbox:
Set-Mailbox -Identity User2 -AuditEnabled $true
3) …and check whether mailbox access auditing is turned on:
Get-Mailbox User2 |FL *audit*

4)  As MoveToDeletedItems action is not audited by default for delegate access we should add it manually:

Set-Mailbox -Identity User2 -AuditDelegate Update,MoveToDeletedItems,SoftDelete,HardDelete,SendAs,Create -AuditEnabled $true

Get-Mailbox User2 |FL *audit*

5) Again, I log on to User2’s mailbox as User1 – User2’s mailbox will be added automatically. Then, I delete a message from User2’s Inbox folder:

6) As we can see the deleted message was moved to User1’s DeletedItems folder:

7) Let’s find the corresponding information in the audit log:

Search-MailboxAuditLog -Identity User2 –LogonTypes Delegate -StartDate 6/28/2012 -EndDate 6/28/2012 -ResultSize 2000

The only useful piece of information here is when User2’s mailbox was accessed last time, so let’s add –ShowDetails switch:

The same problem – the audit search output is empty.
Here is the first Exchange 2010 audit issue:
MS confirmed this to be a bug! It will be corrected in SP2 Rollup 4.
So MS released a feature that is not fully operational out of box because the auditing capabilities was first introduced in Exchange Server 2010 SP1.
Let’s generate the audit report in ECP:

Here we can see what (“Audit Test 2” item), from what mailbox (User2’s) and by whom (User1) was deleted. Pay attention to the operation which was registered in the log – ‘Soft-delete’.
Please note that 6/28/2012 1.28 PM has turned into 6/29/2012 12:28 AM because I changed the Time Zone between taking these screenshots.
8) Now I’ll move by the mouse the e-mail message titled “Audit Test1” into User2’s DeletedItems folder and generate the audit report in ECP:
9) … and check the audit log once again:

Search-MailboxAuditLog -Identity User2 –LogonTypes Delegate -StartDate 6/28/2012 -EndDate 6/28/2012 -ResultSize 2000

Mailbox accessed: User2

Time: 6/29/2012 3:53 AM
Performed by: User1
Signed in as: User with delegate access
Operation: Create
Subject: Audit Test1
Folder: Inbox
Status: Succeeded
  • This log record was generated because we enabled auditing of the “Create” operation.
Time: 6/29/2012 3:53 AM
Performed by: User1
Signed in as: User with delegate access
Operation: Soft-delete
Subject: Audit Test1
Source: Deleted Items
Status: Succeeded
Now pay attention to the operation being registered: it’s SoftDelete, although according to MS documentation ( : MoveToDeletedItems

An item is moved to the Deleted Items folder.) it should be MoveToDeletedItems!

This is probably the second bug in Exchange auditing.
10) While I was finishing my tests I wanted to repeat all necessary steps to reproduce the aforementioned bugs but discovered a brand-new one.
Here are my steps and the corresponding screenshots:
  1. While logged on to User2’s mailbox as User1 I MOVED (by the mouse) “Audit Test1” message from User2’ Inbox folder to the User2’s DeletedItems folder. At least “Create” and “MoveToDeletedItems” operations should be recorded in the User2’s audit log.
  2. Checked whether mailbox access audit is turned on
  3. Searched through the User2’s audit log

No record was logged! I’m completely lost for words…

The only thing I really know I won’t use such auditing in my production environment.


3 responses

  1. Did you ever get this to work? I am on SP3 and every time I try to do a search it just goes to a fresh line like your screenshot shows. Also, my searches on ECP don’t show ANYTHING.

    1. Hello Ben,
      No, I didn’t. Some bugs transit even from one version to another (for example, from 2010 to 2013), not just from one rollup/fix to another…

  2. After checking out a handful of the blog posts on your site, I seriously
    like your technique of blogging. I saved it to my bookmark website list and will
    be checking back in the near future. Please visit
    my web site too and tell me how you feel.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: