How to identify who accessed mailboxes in Exchange 2010

Introduction

In large organizations mailboxes may be accessed by a number of people besides the owners – including delegates and administrators. Because of this, proper auditing of mailbox access needs to be carried out in order to defend against the misuse of critical information. Mailbox audit logging (available from Exchange 2010 SP1 onwards) helps to track mailbox access and meet regulatory compliances mandates. Below are the steps you need to take to audit mailbox access:

Step 1 – To check whether mailbox audit logging is enabled

To verify whether auditing is enabled on a mailbox, run:

Get-Mailbox –Identity <mailbox name> | Format-List *audit*

Note: Mailbox auditing on mailboxes is disabled by default.

For example:

Get-Mailbox –Identity TestUser1 | Format-List *audit*

Step 2 – To enable mailbox audit logging for a mailbox

To enable mailbox audit logging, run the command in the following syntax in Exchange Management Shell:

Set-Mailbox -Identity “<mailbox name>” -AuditEnabled $True

 

Note: The audit logs are stored for 90 days by default.

For example:

Set-Mailbox -Identity “TestUser5” -AuditEnabled $True

 

 Step 3 – To enable mailbox audit logging for specified users and specified operations

 To enable mailbox auditing for specified operations by the administrator, delegates or owner, follow the syntax:

Set-Mailbox -Identity “<mailbox name>” -AuditAdmin <opeartion1>, <operation2> -AuditEnabled $True

 

Set-Mailbox -Identity “<mailbox name>” -AuditDelegate <opeartion1>, <operation2> -AuditEnabled $True

 

Set-Mailbox -Identity “<mailbox name>” -AuditOwner <opeartion1>, <operation2> -AuditEnabled $True

 

For example:

Set-Mailbox -Identity “TestUser3” -AuditAdmin HardDelete, SoftDelete -AuditEnabled $True
Set-Mailbox -Identity “TestUser3” -AuditDelegate SendAs, SendOnBehalf -AuditEnabled $True
Set-Mailbox -Identity “TestUser3” -AuditOwner MoveToDeletedItems -AuditEnabled $True

Step 4– To view the mailbox audit log data (for a single mailbox)

To view the mailbox audit log data, run:

Search-MailboxAuditLog -Identity <mailbox name> -LogonTypes <Admin, Delegate> -ShowDetails -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -ResultSize <size>

 

For example:

Search-MailboxAuditLog -Identity TestUser5 -LogonTypes Admin, Delegate -ShowDetails -StartDate 09/01/2016 -EndDate 09/06/2016 -ResultSize 1

Step 5 – To get the audit log data by email (as XML file) for one or more mailboxes

To get the audit log data by email (as XML file) for one or more mailboxes, run:

New-MailboxAuditLogSearch -Mailboxes “<mailbox1 name>”,”<mailbox2 name>” -LogonTypes <Admin, Delegate> -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -StatusMailRecipients “<email id>” -ShowDetails

 

 

For example:

New-MailboxAuditLogSearch  -Mailboxes “TestUser5” -LogonTypes Admin, Delegate -StartDate 09/01/2016 -EndDate 09/06/2016 -StatusMailRecipients administrator@www.vdoc.com -ShowDetails

Step 6 – To disable mailbox auditing

To disable mailbox auditing, use:

Set-Mailbox -Identity “<mailbox name>” -AuditEnabled $false

For example:

Set-Mailbox -Identity “TestUser1” -AuditEnabled $false

Conclusion:

From a security and compliance standpoint, it’s important for organizations to track who accesses mailboxes and what actions they take once inside. From 2010 SP1 onwards, Microsoft Exchange provides a mailbox auditing facility to make this a possibility. However, it can be time consuming and the reports generated are not very user friendly. Automated Exchange auditing solutions, like LepideAuditor for Exchange Server, provide more detailed and easy-to-read mailbox access reports to help organizations easily meet regulatory compliances challenges.

Author:
Ajit Singh is associated with Lepide Software as a Manager – Marketing Operations. Lepide Software provides solutions for change auditing and compliance, server migration and Exchange recovery.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s