Wednesday, 4 March 2015

Auditing Mailbox Access in Exchange 2013

Auditing Mailbox Access allows us to capture changes made to an inbox with varying levels of granularity. For example you might want to be able to tell who deleted a specific piece of mail from a shared inbox.

Auditing is enabled on a per mailbox basis and the auditing files are stored in the "Recoverable Items Folder" under "Auditing." They can be accessed via EMS or ECP.

There are three types of logging:
- "Administrative" Which record evens such as the movement of mailboxes, import and exports of PSTs and so on.
- "Owner" Which records events invoked by the owner of the mailbox - for example deleting an item from the mailbox.
- "Delegates" Which records the events of users which have "Send as" or "Full Permissions" to the mailbox.

In order to enable auditing on a mailbox we can use EMS:
Set-Mailbox user1 -AuditEnabled $true
And we can then assign the log types (Administrative, Owner, Delegates) and then assign what exactly we want to monitor - the following options are available (although not all are applicable for each logging type):
Copy, Create, FolderBind, HardDelete, MessageBind, Move, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update.
For this example we will enable "Move" and "Copy" events on the Administrative audit type (i.e. any administrators who move and copy the users mail will be logged.):
Set-Mailbox -Identity "Joe Bloggs" -AuditAdmin Move,Copy

** NOTE: In order for an administrator to review the audit logs they MUST be a member of the Records Management security group as well as the Organizational Management group. **

We can confirm the audit settings for a users mailbox with EMS:
Get-MailBox user1 | FL Name, Audit*

You can also use EMC to search audit logs but for simplicities sake we can also use ECP by going to:
"Compliance Management" >> "Auditing" >> "Export mailbox audit logs"


Post a Comment