Introduction
In large organizations mailboxes may be accessed by a number of people besides the owners – including delegates and administrators. Because of this, proper auditing of mailbox access needs to be carried out in order to defend against the misuse of critical information. Mailbox audit logging (available from Exchange 2010 SP1 onwards) helps to track mailbox access and meet regulatory compliances mandates. Below are the steps you need to take to audit mailbox access:
Step 1 – To check whether mailbox audit logging is enabled
To verify whether auditing is enabled on a mailbox, run:
Get-Mailbox –Identity <mailbox name> | Format-List *audit* |
Note: Mailbox auditing on mailboxes is disabled by default.
For example:
Get-Mailbox –Identity TestUser1 | Format-List *audit* |
Step 2 – To enable mailbox audit logging for a mailbox
To enable mailbox audit logging, run the command in the following syntax in Exchange Management Shell:
Set-Mailbox -Identity “<mailbox name>” -AuditEnabled $True
|
Note: The audit logs are stored for 90 days by default.
For example:
Set-Mailbox -Identity “TestUser5” -AuditEnabled $True
|
Step 3 – To enable mailbox audit logging for specified users and specified operations
To enable mailbox auditing for specified operations by the administrator, delegates or owner, follow the syntax:
Set-Mailbox -Identity “<mailbox name>” -AuditAdmin <opeartion1>, <operation2> -AuditEnabled $True
|
Set-Mailbox -Identity “<mailbox name>” -AuditDelegate <opeartion1>, <operation2> -AuditEnabled $True
|
Set-Mailbox -Identity “<mailbox name>” -AuditOwner <opeartion1>, <operation2> -AuditEnabled $True
|
For example:
Set-Mailbox -Identity “TestUser3” -AuditAdmin HardDelete, SoftDelete -AuditEnabled $True |
Set-Mailbox -Identity “TestUser3” -AuditDelegate SendAs, SendOnBehalf -AuditEnabled $True |
Set-Mailbox -Identity “TestUser3” -AuditOwner MoveToDeletedItems -AuditEnabled $True |
Step 4– To view the mailbox audit log data (for a single mailbox)
To view the mailbox audit log data, run:
Search-MailboxAuditLog -Identity <mailbox name> -LogonTypes <Admin, Delegate> -ShowDetails -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -ResultSize <size>
|
For example:
Search-MailboxAuditLog -Identity TestUser5 -LogonTypes Admin, Delegate -ShowDetails -StartDate 09/01/2016 -EndDate 09/06/2016 -ResultSize 1 |
Step 5 – To get the audit log data by email (as XML file) for one or more mailboxes
To get the audit log data by email (as XML file) for one or more mailboxes, run:
New-MailboxAuditLogSearch -Mailboxes “<mailbox1 name>”,”<mailbox2 name>” -LogonTypes <Admin, Delegate> -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -StatusMailRecipients “<email id>” -ShowDetails
|
For example:
New-MailboxAuditLogSearch -Mailboxes “TestUser5” -LogonTypes Admin, Delegate -StartDate 09/01/2016 -EndDate 09/06/2016 -StatusMailRecipients administrator@www.vdoc.com -ShowDetails |
Step 6 – To disable mailbox auditing
To disable mailbox auditing, use:
Set-Mailbox -Identity “<mailbox name>” -AuditEnabled $false |
For example:
Set-Mailbox -Identity “TestUser1” -AuditEnabled $false |
Conclusion:
From a security and compliance standpoint, it’s important for organizations to track who accesses mailboxes and what actions they take once inside. From 2010 SP1 onwards, Microsoft Exchange provides a mailbox auditing facility to make this a possibility. However, it can be time consuming and the reports generated are not very user friendly. Automated Exchange auditing solutions, like LepideAuditor for Exchange Server, provide more detailed and easy-to-read mailbox access reports to help organizations easily meet regulatory compliances challenges.
Author:
Ajit Singh is associated with Lepide Software as a Manager – Marketing Operations. Lepide Software provides solutions for change auditing and compliance, server migration and Exchange recovery.