Exchange 2013 Brief – Mailbox Audit Logging

by | Dec 1, 2012 | Exchange Briefs | 1 comment

Executive Overview

Due to the wide-spread prevalence of e-mail and the potential that e-mails contain sensitive information that may be of high impact to a business or contain personal information, there is a need for many IT departments to be able to track access to mailboxes. Mailbox audit logging enables an organization to identify mailbox access by mailbox owners, delegates and administrators.

Notable Features

  • Mailbox Audit Logon Types
  • Mailbox Audit Log

Architecture/Components

  • Mailbox Audit Logon Types: In Exchange 2013, you can distinguish between three classes of users when they access a mailbox. These classes are:
    • Mailbox Owners: The account designated to access the mailbox. (Primarily Users)
    • Mailbox Delegates: Alternate accounts that have been granted permissions to access a mailbox
    • Administrators: Administrators typically access an account during the following three instances: Firstly, when In-Place eDiscovery is used to search a mailbox. Secondly, when the New-MailboxExportRequest cmdlet is used to export a mailbox; and Thirdly, the Microsoft Exchange Server MAPI Editor is used to access a mailbox.
  • Mailbox Audit Logs: Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. Log entries are retained in the mailbox by default for 90 days in the Audits subfolder of the audited mailboxRecoverable Items folder. Mailbox Audit logs allow you to specific what types of important information should be logged for a specific logon type. These include:
    • User Actions (Accessing, copying, creating, moving or deleting a message)
    • Performing SendAs or SendOnBehalf actions
    • Reading or previewing a message
    • Client IP adress
    • Client Host name
    • Process that client used to access the mailbox

Common Administrative Tasks

  1. Enabling or Disabling Mailbox Audit Logging: via EAC or PowerShell
    Set-Mailbox -Identity “Road Chimp” -AuditEnabled $true to enable &
    Set-Mailbox -Identity “Road Chimp” -AuditEnabled $false to disable
  2. Enabling/Disabling Mailbox Audit Logging for various logon types:
    Set-Mailbox -Identity “Road Chimp” -AuditOwner or
    Set-Mailbox -Identity “Road Chimp”     -AuditDelegate or
    Set-Mailbox -Identity “Road Chimp” -AuditAdmin
  3. Verify Mailbox Audit Logging was configured: via Powershell
    Get-Mailbox “Road Chimp | Format-List *audit*
  4. Create a Mailbox Audit Log Search: via EAC or PowerShell
    New-MailboxAuditLogSearch “Admin and Delegate Access” -Mailboxes “Road Chimp”,”Chief Peeler” -LogonTypes Admin,Delegate -StartDate 1/1/2012 -EndDate 12/01/2012 -StatusMailRecipients “auditors@chimpcorp.com”
  5. Searching Mailbox Audit Log for a specific search term: via EAC or PowerShell
    Search-MailboxAuditLog -Identity “Road Chimp” -LogonTypes Admin,Delegate -StartDate 1/1/2012 -EndDate 12/31/2012 -ResultSize 2000
  6. Bypass a User Account from Mailbox Audit Logging: via EAC or Powershell
    Set-MailboxAuditBypassAssociation -Identity “Road Chimp” -AuditBypassEnabled $true

Top PowerShell Commands/Tools:

– Set-Mailbox -AuditEnabled
– Set-Mailbox -AuditDelegate |AuditAdmin | AuditOwner
– Get-Mailbox

References/Links

Technet: Article on Mailbox Audit Logging
Cmdlets: For Mailbox Audit Logging

1 Comment

  1. James
    James on June 23, 2014 at 11:08 am

    Thank you for good information about Mailbox Audit Logging
    . I have used this tool from http://www.lepide.com/exchange-server-audit/ to track unwanted mailbox access and make reporting, controlling all the changes. The interface of this software is easy to navigate and understand. Thanks again, i like your post. Really good work. keep it up.

    Reply

Leave a Reply to James Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.