Solved

How to monitor Exchange logins/access by Administrators

Posted on 2009-05-04
11
1,055 Views
Last Modified: 2012-05-06
We currently run 1 Exchange 2007 server, with approximately 200 people in an Active Directory domain.  One of our directors is wanting a list of who has accessed his email account in the past month and i'm not sure how to give him that report.  End users can't access each others' accounts obviously, only 3 of us here that can because of Administrative rights for the network, but i'd still like to be able to run a report/script/something that shows him who has (or better yet, has not) accessed his email account.  Does anyone know of a tool or script out there that can run a check against Exchange (or Event log) that can give me this detailed info?  Be nice to know that "User1 has accessed User2 Exchange account on Tuesday, 4/28/09 7:34:01" or something like that.  Thanks for your help!
0
Comment
Question by:MOPSC
  • 5
  • 5
11 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24295852

The only way you can do that is if you have configured auditing in Exchange beforehand. It cannot be enabled now and then a retrospective search performed back to before it was enabled.

The Set-EventLogLevel cmdlet is the one you need to use at the Exchange Management Shell to enable any sort of auditing on the server. The full command would be

set-EventLogLevel -id "MSExchangeIS\9000 Private\Logons" -level low (level can be set to lowest (default), low, medium, high, expert with varying levels of data logged each time).

By enabling this, an event will be logged in the event viewer with ID 1016 which logs that a user accessed another user's mailbox. It is not, however conclusive; if users have the ability to view another user's calendar, for instance, this will be logged as a "Mailbox Access".

Getting data out of the Event Logs is also need overly easy. It may be more appropriate if this is very important to you to invest in a third-party Exchange auditing package. http://www.quest.com/InTrust-Plug-in-for-Exchange/ looks like one example.

Matt
0
 

Author Comment

by:MOPSC
ID: 24298828
The package you linked looks pretty nice, but so far looks to not support Windows 2008.  :(  As far as the Shell command goes, what type of data does each level return?  Would low tell me who accessed what and at what time?  Thanks again!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24299430

As far as I remember (can't check at the moment) the Low logging would simply log in the event viewer that User X accessed User Y's mailbox. Since it would be a standard Event Log, the standard log entry would contain the date/time of this event happening.

You can then increase the logging level until you get just the right amount of information.

-Matt
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:MOPSC
ID: 24299533
Looks nice, i turned it on and it shows when i try to access another account just fine.  Only issue now is i had it turned on for approximately 1 minute and got 400 events...yikes!
0
 
LVL 4

Expert Comment

by:BillCarlin
ID: 24299930
This is very hard to accomplish as Exchange is under the thought that it does not need to police itself from it's admin.  If there is an auditing concern you are probably best to look at third party tools like Stealth Audit or something.  If it is a question of trust of the Exchange admin, there is a bigger issue which would need to be resolved internally. There is an event that shows a denied request to access the mailbox, but it is difficult to prove because like the other event, a user trying to look at calendar can get a denial.

Cheers
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24318166

400 events in the space of a minute is quite unusual; was that on the 'Low' setting? Do you have a large organization with many delegates accessing other users' mailboxes?

Exchange auditing is very basic at the best of times. I'd suggest you look into a third-party product to do this sort of auditing if it is a big problem for you.

-Matt
0
 

Author Comment

by:MOPSC
ID: 24319984
Yeah, I had it on the low setting, figured it would be a bit much to turn it up if it received that many so quick.  We only have 200 users, and i'd say probably 12 or so of them access one anothers' mailbox.  Here are a few examples of what i saw:


Process STORE.EXE (PID=2524). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
DC03.company.com      CDG 1 7 7 1 0 1 1 7 1
DC.company.com      CDG 1 7 7 1 0 1 1 7 1
DC08.company.com      CDG 1 7 7 1 0 1 1 7 1
 Out-of-site:

DOMAIN\User1 logged on as /O=WORK/OU=EXCHG/cn=Recipients/cn=user1 on database "First Storage Group\Mailbox Database".

Windows User NT AUTHORITY\SYSTEM logged on to EXCH-SA@company.com mailbox, and is not the primary Windows account on this mailbox.

NT AUTHORITY\SYSTEM logged on as /o=WORK/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCH/cn=Microsoft System Attendant on database "First Storage Group\Mailbox Database", using administrator privileges.

DOMAIN\User1 logged on as /O=WORK/OU=EXCHG/cn=Recipients/cn=user1 on database "First Storage Group\Mailbox Database".

Windows User NT AUTHORITY\SYSTEM logged on to joe.hale@company.com mailbox, and is not the primary Windows account on this mailbox.

NT AUTHORITY\SYSTEM logged on as /o=WORK/ou=EXCHG/cn=Recipients/cn=halej on database "First Storage Group\Mailbox Database", using administrator privileges.

Starting from 5/4/2009 2:09:01 PM service 'Exchange Content Indexing' has performed this activity on the server:
RPC Operations: 20507.
Database Pages Read: 337 (of which 6 pages preread).
Database Pages Updated: 101768 (of which 96112 pages reupdated).
Database Log Records Generated: 90992.
Database Log Records Bytes Generated: 3283771.
Time in User Mode: 874 ms.
Time in Kernel Mode: 32 ms.


Anything look out of place?  Just a ton of this within that minute.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24320035

Did it happen within a minute then stop? Or kept running minute on minute?
0
 

Author Comment

by:MOPSC
ID: 24320119
I just ran it for a minute to capture some data and then stopped it.  I ran the Shell command and had the even log open at the same time, then i attempted to access someone elses' mailbox.  All the while i'm hitting refresh on the event log and i see it growing quick, so i ran the command again to put it back to "lowest", then sifted through the logs to find my attempt and what it showed.  Just thought it was odd that there were so many.  Lowest shows next to nothing and Low showed a bunch, scared to even try Medium. :P  
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24340130

If I had Exchange 2007 in the test environment I'd give it a go for you to see what the effect is. Sadly the test lab hasn't been migrated yet.

Give it a go and see if that was a one-off co-incidental fluke and see if the number of events logged is a bit more normal a second time round.

If not, go down the third-party route. Exchange has never properly done any form of auditing anyway; the right third-party tool would probably give you much more granular control and make the log files much easier to search.

-Matt
0
 

Author Comment

by:MOPSC
ID: 24354973
Thanks for your help, we'll look into a third-party tool to see if we can get this all monitored properly!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question