Solved

How to monitor Exchange logins/access by Administrators

Posted on 2009-05-04
11
1,064 Views
Last Modified: 2012-05-06
We currently run 1 Exchange 2007 server, with approximately 200 people in an Active Directory domain.  One of our directors is wanting a list of who has accessed his email account in the past month and i'm not sure how to give him that report.  End users can't access each others' accounts obviously, only 3 of us here that can because of Administrative rights for the network, but i'd still like to be able to run a report/script/something that shows him who has (or better yet, has not) accessed his email account.  Does anyone know of a tool or script out there that can run a check against Exchange (or Event log) that can give me this detailed info?  Be nice to know that "User1 has accessed User2 Exchange account on Tuesday, 4/28/09 7:34:01" or something like that.  Thanks for your help!
0
Comment
Question by:MOPSC
  • 5
  • 5
11 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24295852

The only way you can do that is if you have configured auditing in Exchange beforehand. It cannot be enabled now and then a retrospective search performed back to before it was enabled.

The Set-EventLogLevel cmdlet is the one you need to use at the Exchange Management Shell to enable any sort of auditing on the server. The full command would be

set-EventLogLevel -id "MSExchangeIS\9000 Private\Logons" -level low (level can be set to lowest (default), low, medium, high, expert with varying levels of data logged each time).

By enabling this, an event will be logged in the event viewer with ID 1016 which logs that a user accessed another user's mailbox. It is not, however conclusive; if users have the ability to view another user's calendar, for instance, this will be logged as a "Mailbox Access".

Getting data out of the Event Logs is also need overly easy. It may be more appropriate if this is very important to you to invest in a third-party Exchange auditing package. http://www.quest.com/InTrust-Plug-in-for-Exchange/ looks like one example.

Matt
0
 

Author Comment

by:MOPSC
ID: 24298828
The package you linked looks pretty nice, but so far looks to not support Windows 2008.  :(  As far as the Shell command goes, what type of data does each level return?  Would low tell me who accessed what and at what time?  Thanks again!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24299430

As far as I remember (can't check at the moment) the Low logging would simply log in the event viewer that User X accessed User Y's mailbox. Since it would be a standard Event Log, the standard log entry would contain the date/time of this event happening.

You can then increase the logging level until you get just the right amount of information.

-Matt
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:MOPSC
ID: 24299533
Looks nice, i turned it on and it shows when i try to access another account just fine.  Only issue now is i had it turned on for approximately 1 minute and got 400 events...yikes!
0
 
LVL 4

Expert Comment

by:BillCarlin
ID: 24299930
This is very hard to accomplish as Exchange is under the thought that it does not need to police itself from it's admin.  If there is an auditing concern you are probably best to look at third party tools like Stealth Audit or something.  If it is a question of trust of the Exchange admin, there is a bigger issue which would need to be resolved internally. There is an event that shows a denied request to access the mailbox, but it is difficult to prove because like the other event, a user trying to look at calendar can get a denial.

Cheers
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24318166

400 events in the space of a minute is quite unusual; was that on the 'Low' setting? Do you have a large organization with many delegates accessing other users' mailboxes?

Exchange auditing is very basic at the best of times. I'd suggest you look into a third-party product to do this sort of auditing if it is a big problem for you.

-Matt
0
 

Author Comment

by:MOPSC
ID: 24319984
Yeah, I had it on the low setting, figured it would be a bit much to turn it up if it received that many so quick.  We only have 200 users, and i'd say probably 12 or so of them access one anothers' mailbox.  Here are a few examples of what i saw:


Process STORE.EXE (PID=2524). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
DC03.company.com      CDG 1 7 7 1 0 1 1 7 1
DC.company.com      CDG 1 7 7 1 0 1 1 7 1
DC08.company.com      CDG 1 7 7 1 0 1 1 7 1
 Out-of-site:

DOMAIN\User1 logged on as /O=WORK/OU=EXCHG/cn=Recipients/cn=user1 on database "First Storage Group\Mailbox Database".

Windows User NT AUTHORITY\SYSTEM logged on to EXCH-SA@company.com mailbox, and is not the primary Windows account on this mailbox.

NT AUTHORITY\SYSTEM logged on as /o=WORK/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCH/cn=Microsoft System Attendant on database "First Storage Group\Mailbox Database", using administrator privileges.

DOMAIN\User1 logged on as /O=WORK/OU=EXCHG/cn=Recipients/cn=user1 on database "First Storage Group\Mailbox Database".

Windows User NT AUTHORITY\SYSTEM logged on to joe.hale@company.com mailbox, and is not the primary Windows account on this mailbox.

NT AUTHORITY\SYSTEM logged on as /o=WORK/ou=EXCHG/cn=Recipients/cn=halej on database "First Storage Group\Mailbox Database", using administrator privileges.

Starting from 5/4/2009 2:09:01 PM service 'Exchange Content Indexing' has performed this activity on the server:
RPC Operations: 20507.
Database Pages Read: 337 (of which 6 pages preread).
Database Pages Updated: 101768 (of which 96112 pages reupdated).
Database Log Records Generated: 90992.
Database Log Records Bytes Generated: 3283771.
Time in User Mode: 874 ms.
Time in Kernel Mode: 32 ms.


Anything look out of place?  Just a ton of this within that minute.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24320035

Did it happen within a minute then stop? Or kept running minute on minute?
0
 

Author Comment

by:MOPSC
ID: 24320119
I just ran it for a minute to capture some data and then stopped it.  I ran the Shell command and had the even log open at the same time, then i attempted to access someone elses' mailbox.  All the while i'm hitting refresh on the event log and i see it growing quick, so i ran the command again to put it back to "lowest", then sifted through the logs to find my attempt and what it showed.  Just thought it was odd that there were so many.  Lowest shows next to nothing and Low showed a bunch, scared to even try Medium. :P  
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24340130

If I had Exchange 2007 in the test environment I'd give it a go for you to see what the effect is. Sadly the test lab hasn't been migrated yet.

Give it a go and see if that was a one-off co-incidental fluke and see if the number of events logged is a bit more normal a second time round.

If not, go down the third-party route. Exchange has never properly done any form of auditing anyway; the right third-party tool would probably give you much more granular control and make the log files much easier to search.

-Matt
0
 

Author Comment

by:MOPSC
ID: 24354973
Thanks for your help, we'll look into a third-party tool to see if we can get this all monitored properly!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question