Solved

How to monitor Exchange logins/access by Administrators

Posted on 2009-05-04
11
1,047 Views
Last Modified: 2012-05-06
We currently run 1 Exchange 2007 server, with approximately 200 people in an Active Directory domain.  One of our directors is wanting a list of who has accessed his email account in the past month and i'm not sure how to give him that report.  End users can't access each others' accounts obviously, only 3 of us here that can because of Administrative rights for the network, but i'd still like to be able to run a report/script/something that shows him who has (or better yet, has not) accessed his email account.  Does anyone know of a tool or script out there that can run a check against Exchange (or Event log) that can give me this detailed info?  Be nice to know that "User1 has accessed User2 Exchange account on Tuesday, 4/28/09 7:34:01" or something like that.  Thanks for your help!
0
Comment
Question by:MOPSC
  • 5
  • 5
11 Comments
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

The only way you can do that is if you have configured auditing in Exchange beforehand. It cannot be enabled now and then a retrospective search performed back to before it was enabled.

The Set-EventLogLevel cmdlet is the one you need to use at the Exchange Management Shell to enable any sort of auditing on the server. The full command would be

set-EventLogLevel -id "MSExchangeIS\9000 Private\Logons" -level low (level can be set to lowest (default), low, medium, high, expert with varying levels of data logged each time).

By enabling this, an event will be logged in the event viewer with ID 1016 which logs that a user accessed another user's mailbox. It is not, however conclusive; if users have the ability to view another user's calendar, for instance, this will be logged as a "Mailbox Access".

Getting data out of the Event Logs is also need overly easy. It may be more appropriate if this is very important to you to invest in a third-party Exchange auditing package. http://www.quest.com/InTrust-Plug-in-for-Exchange/ looks like one example.

Matt
0
 

Author Comment

by:MOPSC
Comment Utility
The package you linked looks pretty nice, but so far looks to not support Windows 2008.  :(  As far as the Shell command goes, what type of data does each level return?  Would low tell me who accessed what and at what time?  Thanks again!
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

As far as I remember (can't check at the moment) the Low logging would simply log in the event viewer that User X accessed User Y's mailbox. Since it would be a standard Event Log, the standard log entry would contain the date/time of this event happening.

You can then increase the logging level until you get just the right amount of information.

-Matt
0
 

Author Comment

by:MOPSC
Comment Utility
Looks nice, i turned it on and it shows when i try to access another account just fine.  Only issue now is i had it turned on for approximately 1 minute and got 400 events...yikes!
0
 
LVL 4

Expert Comment

by:BillCarlin
Comment Utility
This is very hard to accomplish as Exchange is under the thought that it does not need to police itself from it's admin.  If there is an auditing concern you are probably best to look at third party tools like Stealth Audit or something.  If it is a question of trust of the Exchange admin, there is a bigger issue which would need to be resolved internally. There is an event that shows a denied request to access the mailbox, but it is difficult to prove because like the other event, a user trying to look at calendar can get a denial.

Cheers
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

400 events in the space of a minute is quite unusual; was that on the 'Low' setting? Do you have a large organization with many delegates accessing other users' mailboxes?

Exchange auditing is very basic at the best of times. I'd suggest you look into a third-party product to do this sort of auditing if it is a big problem for you.

-Matt
0
 

Author Comment

by:MOPSC
Comment Utility
Yeah, I had it on the low setting, figured it would be a bit much to turn it up if it received that many so quick.  We only have 200 users, and i'd say probably 12 or so of them access one anothers' mailbox.  Here are a few examples of what i saw:


Process STORE.EXE (PID=2524). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
DC03.company.com      CDG 1 7 7 1 0 1 1 7 1
DC.company.com      CDG 1 7 7 1 0 1 1 7 1
DC08.company.com      CDG 1 7 7 1 0 1 1 7 1
 Out-of-site:

DOMAIN\User1 logged on as /O=WORK/OU=EXCHG/cn=Recipients/cn=user1 on database "First Storage Group\Mailbox Database".

Windows User NT AUTHORITY\SYSTEM logged on to EXCH-SA@company.com mailbox, and is not the primary Windows account on this mailbox.

NT AUTHORITY\SYSTEM logged on as /o=WORK/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCH/cn=Microsoft System Attendant on database "First Storage Group\Mailbox Database", using administrator privileges.

DOMAIN\User1 logged on as /O=WORK/OU=EXCHG/cn=Recipients/cn=user1 on database "First Storage Group\Mailbox Database".

Windows User NT AUTHORITY\SYSTEM logged on to joe.hale@company.com mailbox, and is not the primary Windows account on this mailbox.

NT AUTHORITY\SYSTEM logged on as /o=WORK/ou=EXCHG/cn=Recipients/cn=halej on database "First Storage Group\Mailbox Database", using administrator privileges.

Starting from 5/4/2009 2:09:01 PM service 'Exchange Content Indexing' has performed this activity on the server:
RPC Operations: 20507.
Database Pages Read: 337 (of which 6 pages preread).
Database Pages Updated: 101768 (of which 96112 pages reupdated).
Database Log Records Generated: 90992.
Database Log Records Bytes Generated: 3283771.
Time in User Mode: 874 ms.
Time in Kernel Mode: 32 ms.


Anything look out of place?  Just a ton of this within that minute.
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Did it happen within a minute then stop? Or kept running minute on minute?
0
 

Author Comment

by:MOPSC
Comment Utility
I just ran it for a minute to capture some data and then stopped it.  I ran the Shell command and had the even log open at the same time, then i attempted to access someone elses' mailbox.  All the while i'm hitting refresh on the event log and i see it growing quick, so i ran the command again to put it back to "lowest", then sifted through the logs to find my attempt and what it showed.  Just thought it was odd that there were so many.  Lowest shows next to nothing and Low showed a bunch, scared to even try Medium. :P  
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
Comment Utility

If I had Exchange 2007 in the test environment I'd give it a go for you to see what the effect is. Sadly the test lab hasn't been migrated yet.

Give it a go and see if that was a one-off co-incidental fluke and see if the number of events logged is a bit more normal a second time round.

If not, go down the third-party route. Exchange has never properly done any form of auditing anyway; the right third-party tool would probably give you much more granular control and make the log files much easier to search.

-Matt
0
 

Author Comment

by:MOPSC
Comment Utility
Thanks for your help, we'll look into a third-party tool to see if we can get this all monitored properly!
0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now