Exchange 2010 SP1 Mailbox Access Auditing Part III

In this article we’ll continue to study mailbox access auditing for delegate access. I’ll set up auditing for MovedToDeletedItems and SoftDelete actions and try to find the corresponding information in the audit logs.
For instance, I want to know when a message is deleted from User2’s mailbox while User2’s mailbox is open by User1. Let’s repeat all necessary steps described in Part I from the beginning:
1) In Exchange Management Console we give User1 Full Access permission on User2’s mailbox:
2) …then turn on mailbox access auditing for User2’s mailbox:
Set-Mailbox -Identity User2 -AuditEnabled $true
3) …and check whether mailbox access auditing is turned on:
Get-Mailbox User2 |FL *audit*

4)  As MoveToDeletedItems action is not audited by default for delegate access we should add it manually:

Set-Mailbox -Identity User2 -AuditDelegate Update,MoveToDeletedItems,SoftDelete,HardDelete,SendAs,Create -AuditEnabled $true

Get-Mailbox User2 |FL *audit*

5) Again, I log on to User2’s mailbox as User1 – User2’s mailbox will be added automatically. Then, I delete a message from User2’s Inbox folder:

6) As we can see the deleted message was moved to User1’s DeletedItems folder:

7) Let’s find the corresponding information in the audit log:

Search-MailboxAuditLog -Identity User2 –LogonTypes Delegate -StartDate 6/28/2012 -EndDate 6/28/2012 -ResultSize 2000

The only useful piece of information here is when User2’s mailbox was accessed last time, so let’s add –ShowDetails switch:

The same problem – the audit search output is empty.
Here is the first Exchange 2010 audit issue:
MS confirmed this to be a bug! It will be corrected in SP2 Rollup 4.
So MS released a feature that is not fully operational out of box because the auditing capabilities was first introduced in Exchange Server 2010 SP1.
Let’s generate the audit report in ECP:

Here we can see what (“Audit Test 2” item), from what mailbox (User2’s) and by whom (User1) was deleted. Pay attention to the operation which was registered in the log – ‘Soft-delete’.
Please note that 6/28/2012 1.28 PM has turned into 6/29/2012 12:28 AM because I changed the Time Zone between taking these screenshots.
8) Now I’ll move by the mouse the e-mail message titled “Audit Test1” into User2’s DeletedItems folder and generate the audit report in ECP:
9) … and check the audit log once again:

Search-MailboxAuditLog -Identity User2 –LogonTypes Delegate -StartDate 6/28/2012 -EndDate 6/28/2012 -ResultSize 2000

Mailbox accessed: User2

Time: 6/29/2012 3:53 AM
Performed by: User1
Signed in as: User with delegate access
Operation: Create
Subject: Audit Test1
Folder: Inbox
Status: Succeeded
  • This log record was generated because we enabled auditing of the “Create” operation.
Time: 6/29/2012 3:53 AM
Performed by: User1
Signed in as: User with delegate access
Operation: Soft-delete
Subject: Audit Test1
Source: Deleted Items
Status: Succeeded
Now pay attention to the operation being registered: it’s SoftDelete, although according to MS documentation (http://technet.microsoft.com/en-us/library/ff459237.aspx?ppud=4 : MoveToDeletedItems

An item is moved to the Deleted Items folder.) it should be MoveToDeletedItems!

This is probably the second bug in Exchange auditing.
10) While I was finishing my tests I wanted to repeat all necessary steps to reproduce the aforementioned bugs but discovered a brand-new one.
Here are my steps and the corresponding screenshots:
  1. While logged on to User2’s mailbox as User1 I MOVED (by the mouse) “Audit Test1” message from User2’ Inbox folder to the User2’s DeletedItems folder. At least “Create” and “MoveToDeletedItems” operations should be recorded in the User2’s audit log.
  2. Checked whether mailbox access audit is turned on
  3. Searched through the User2’s audit log

No record was logged! I’m completely lost for words…

The only thing I really know I won’t use such the auditing in my production environment.

2 responses

  1. Michael – excellent article thank you.
    Did you test to see if MS fixed these bugs in SP2?
    Do you know of other reported bugs in mailbox audit reports?
    Thanks

    1. Hello Tester!

      Thank you so much for your comment!
      Unfortunately I did not test SP2 Rollup 4 – by the time I was writing “Exchange 2010 SP1 Mailbox Access Auditing Part III” I had been fed up with MS Exchange auditing capabilities and been sure I woun’t rely on it in a production environment. Now I’m going to do the same test in Exchange 2013, but if I have time I’ll try to do it in Exchange 2012 SP2 Rollup4 too.

      Please feel free to contact me should you have any questions.
      michael_firsov@mail.ru

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: