Exchange 2013 Mailbox Auditing Part I

Since the release of MS Exchange Server 2013 I wanted to repeat the tests I described in my series of articles on the mailbox auditing in Exchange 2010 SP1. Now I’d like to present you  the new version of the Mailbox Auditing Part I written for the Exchange Server 2013.  We’ll walk through the same steps as in the article on the Exchange Server 2010 SP1 and see if  there’s any difference between the results I’ve got in Exchange Server 2010 SP1 and Exchange Server 2013:  the full version of the Exchange 2010 Sp1 Mailbox Auditing Part I you can find here:  https://michaelfirsov.wordpress.com/2012/06/16/exchange-2010-mailbox-access-auditing-part-i/

1) In Exchange Management Console we give User1 Full Access permission to User2’s mailbox:

1

2) …then turn on mailbox access audit for User2’s mailbox:
Set-Mailbox -Identity User2 -AuditEnabled $true
2
3) …and check whether mailbox access auditing is turned on:
Get-Mailbox User2 |FL *audit*
3
4) Pay close attention to what actions are audited by default: as we’re going to use the delegate access Update, SoftDelete, HardDelete, SendAs and Create actions will be audited by default once mailbox access is enabled for a particular mailbox. So to be able to audit the access to User2’s mailbox we must add FolderBind action to the list of already audited actions

Set-Mailbox -Identity User2 -AuditDelegate Update,SoftDelete,HardDelete,SendAs,Create,FolderBind -AuditEnabled $true
and check they have been applied correctly:
Get-Mailbox User2 |FL *audit*
4
5) Now let’s start Outlook and log on to User1’s mailbox. Outlook will open the additional User2’s mailbox for User1 automatically:
6-Out1
Attention! As you can see this screen shot displays the Administrator’s profile with the User1’s  additional mailbox (wich in turn has a Full Control permission on User2’s mailbox):  I was unable to create a separate profile for the User1. You can read about it here:  http://social.technet.microsoft.com/Forums/en-US/2ed31557-a2dc-413d-9e5a-f60c8ca435ae/cant-create-profile-in-outlook-2013
For our test we can assume we’re using a User1 profile  because we will audit only User1 access to the User2’s mailbox.
5) Now let’s check if any log records was generated when Outlook was started:
Search-MailboxAuditLog -Identity User2 -LogonTypes Delegate -StartDate 7/1/2013 -EndDate 7/6/2013 -ResultSize 2000
7-Op5

  Yes, here we can see a brief description of the fact that someone accessed User2’s mailbox. As our goal is to get all availabale information about Delegate access to User2’s mailbox we should add -ShowDetails to the previuos command:

6)Search-MailboxAuditLog -Identity User2 -LogonTypes Delegate -StartDate 7/1/2013 -EndDate 7/6/2013 -ResultSize 2000 -ShowDetails

8-Op6-Det

Yes, it works! It did not work in my previous test for Exchange 2010 SP1  (https://michaelfirsov.wordpress.com/wp-admin/post.php?post=129&action=edit)

Nevertheless, let’s see how we can get this information in the ECP:

Log in to ECP under account that is a member of Exchange Organization Management group or Records Management group (for instance, Administrator account) and click “Run a non-owner mailbox access report”
9-Op7-DetExch
10-1-Op7-DetExch1
10-Op7-DetExch1
Please also pay attention to the number of “Open folder” operations per single audit event:  EACH mailbox folder was accessed during the logon to the mailbox. Furthermore, during the test I ran Outlook several times but ther’s only one audit event: this is due to the consolidation of actions performed by delegates as described here:  http://technet.microsoft.com/en-us/library/ff459237.aspx
“** Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of three hours.”

Summary

In this article we explored MS Exchange Server 2013 audit capabilities in regard to the delegate access: both the Exchange PowerShell cmdlet (unlike in my previous test with Exchange Server 2010 SP1) and the ECP display the correct results.
Advertisements

5 responses

  1. Thanks for sharing useful information about Exchange Mailbox Auditing on Exchange server , I already tried this tool from http://www.mailboxaccessauditing.com . It helps to track who is accessing other mailbox and generate report on all changes for a specified period.

    1. Nick, thank you very much!
      And thank you for sharing information on this tool – I did not know about it yet.

      Regards,
      Michael

  2. Hi,
    I have a user who is complaining about items mysteriously moving from his inbox. We can typically find these items in other subfolders. He suspects his secretary who has full access to his mailbox. His secretary suggests its him (or maybe he is doing it accidentally via his iPhone).

    Since enabling auditing he contacted me yesterday with an example of a message that was moved. I could not find any reference to this being moved by the secretary. However, there were references to other messages she had knowingly moved.

    My question is can I audit the owner of the mailbox? To prove that the user himself is moving these emails. The options for auditing seem to cover only non-owners, external users and administrators.

    Thanks.

    1. Hi MiYo,
      Yes, you can audit the owner, you just can’t use UAC (use EMS instead) to search the log as it provides only Non-Owner reports:

      Set-Mailbox -Identity “Ben Smith” -AuditOwner SoftDelet,HardDelete,MoveToDeletedItems -AuditEnabled $true

      Search-MailboxAuditLog -Identity “Ben Smith” -LogonTypes Owner -StartDate 1/1/2012 -EndDate 12/31/2012 -ResultSize 2000 -ShowDetails

      http://technet.microsoft.com/en-us/library/ff461937%28v=exchg.150%29.aspx
      http://technet.microsoft.com/en-us/library/ff459237%28v=exchg.150%29.aspx

      You can also read this post:
      http://exchangeserverpro.com/tracking-mailbox-owner-deletes-using-mailbox-audit-logging/

      Regards,
      Michael

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: