How to monitor Exchange logins/access by Administrators

The only way you can do that is if you have configured auditing in Exchange beforehand. It cannot be enabled now and then a retrospective search performed back to before it was enabled.

The Set-EventLogLevel cmdlet is the one you need to use at the Exchange Management Shell to enable any sort of auditing on the server. The full command would be

set-EventLogLevel -id "MSExchangeIS\9000 Private\Logons" -level low (level can be set to lowest (default), low, medium, high, expert with varying levels of data logged each time).

By enabling this, an event will be logged in the event viewer with ID 1016 which logs that a user accessed another user's mailbox. It is not, however conclusive; if users have the ability to view another user's calendar, for instance, this will be logged as a "Mailbox Access".

Getting data out of the Event Logs is also need overly easy. It may be more appropriate if this is very important to you to invest in a third-party Exchange auditing package. http://www.quest.com/InTrust-Plug-in-for-Exchange/ looks like one example.

Matt

The package you linked looks pretty nice, but so far looks to not support Windows 2008.  :(  As far as the Shell command goes, what type of data does each level return?  Would low tell me who accessed what and at what time?  Thanks again!

As far as I remember (can't check at the moment) the Low logging would simply log in the event viewer that User X accessed User Y's mailbox. Since it would be a standard Event Log, the standard log entry would contain the date/time of this event happening.

You can then increase the logging level until you get just the right amount of information.

-Matt

Looks nice, i turned it on and it shows when i try to access another account just fine.  Only issue now is i had it turned on for approximately 1 minute and got 400 events...yikes!

This is very hard to accomplish as Exchange is under the thought that it does not need to police itself from it's admin.  If there is an auditing concern you are probably best to look at third party tools like Stealth Audit or something.  If it is a question of trust of the Exchange admin, there is a bigger issue which would need to be resolved internally. There is an event that shows a denied request to access the mailbox, but it is difficult to prove because like the other event, a user trying to look at calendar can get a denial.

Cheers

400 events in the space of a minute is quite unusual; was that on the 'Low' setting? Do you have a large organization with many delegates accessing other users' mailboxes?

Exchange auditing is very basic at the best of times. I'd suggest you look into a third-party product to do this sort of auditing if it is a big problem for you.

-Matt

Yeah, I had it on the low setting, figured it would be a bit much to turn it up if it received that many so quick.  We only have 200 users, and i'd say probably 12 or so of them access one anothers' mailbox.  Here are a few examples of what i saw:


Process STORE.EXE (PID=2524). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
DC03.company.com      CDG 1 7 7 1 0 1 1 7 1
DC.company.com      CDG 1 7 7 1 0 1 1 7 1
DC08.company.com      CDG 1 7 7 1 0 1 1 7 1
 Out-of-site:

DOMAIN\User1 logged on as /O=WORK/OU=EXCHG/cn=Recipients/cn=user1 on database "First Storage Group\Mailbox Database".

Windows User NT AUTHORITY\SYSTEM logged on to EXCH-SA@company.com mailbox, and is not the primary Windows account on this mailbox.

NT AUTHORITY\SYSTEM logged on as /o=WORK/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCH/cn=Microsoft System Attendant on database "First Storage Group\Mailbox Database", using administrator privileges.

DOMAIN\User1 logged on as /O=WORK/OU=EXCHG/cn=Recipients/cn=user1 on database "First Storage Group\Mailbox Database".

Windows User NT AUTHORITY\SYSTEM logged on to joe.hale@company.com mailbox, and is not the primary Windows account on this mailbox.

NT AUTHORITY\SYSTEM logged on as /o=WORK/ou=EXCHG/cn=Recipients/cn=halej on database "First Storage Group\Mailbox Database", using administrator privileges.

Starting from 5/4/2009 2:09:01 PM service 'Exchange Content Indexing' has performed this activity on the server:
RPC Operations: 20507.
Database Pages Read: 337 (of which 6 pages preread).
Database Pages Updated: 101768 (of which 96112 pages reupdated).
Database Log Records Generated: 90992.
Database Log Records Bytes Generated: 3283771.
Time in User Mode: 874 ms.
Time in Kernel Mode: 32 ms.


Anything look out of place?  Just a ton of this within that minute.

Did it happen within a minute then stop? Or kept running minute on minute?

I just ran it for a minute to capture some data and then stopped it.  I ran the Shell command and had the even log open at the same time, then i attempted to access someone elses' mailbox.  All the while i'm hitting refresh on the event log and i see it growing quick, so i ran the command again to put it back to "lowest", then sifted through the logs to find my attempt and what it showed.  Just thought it was odd that there were so many.  Lowest shows next to nothing and Low showed a bunch, scared to even try Medium. :P  

Thanks for your help, we'll look into a third-party tool to see if we can get this all monitored properly!