• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 921
  • Last Modified:

Exchange 2007 SP2 - Mailbox Auditing - Domain Admins EXCLUDED

Hello,
I have an Exchange 2007 SP2 server on Windows 2008 Enterprise (NOT R2).  As mailbox auditing is enabled at the "Lowest" setting by default, I set this to Medium per the article from MSExchange.org.  Specifically Under MSExchange --> Private --> IS properties I set the Folder Access to Medium and the Message Access to Low.  NOTE:  I tried setting both to Medium but there is a "new" tech that has reverted this to "LOW" and they have also intermittently changed the Folder Access to Low as well.  This has become a struggle as I believe this new tech is opening users mailboxes.  
It appears by default that Domain Admins have the "ExtendedRights" permission which also allows them to bypass the audit policy.  I verified this by creating a test mailbox and then opening it with my account using OWA.  The entries that I opened the mailbox do NOT show up in the audit logs.  I can't turn this policy up as the tech complains it fills the App log with "useless" data and thus it has become a struggle, but we know that it is because he is up to no good.

How can I set an implicit "deny" on bypass auditing for the domain admins group and all users?  

Also, is Medium enough to pick up an event where User A opens User B's mailbox?  

I have gone through ALL the MS articles and it appears that Level 3 - which is Medium should be sufficient, however I may have to lower this to the "LOW" setting to keep things happy right now in the group.

Is LOW going to show these details as well?  I have Folder Access and Message access turned on, is there anything else to do to ensure that I can see this activity regardless of the client that is used whether it is outlook, OWA, etc?

0
thepunish3r
Asked:
thepunish3r
  • 2
1 Solution
 
SteveCommented:
you're a bit stuck here as the user you want to restrict is a domain admin and has the same rights as you. anything you set can be undone by the other user.

0
 
thepunish3rAuthor Commented:
I am not worried about the domain admin changing the policy as that would be a red flag to everyone.  Right now I just want to enforce the policy for domain admins to be audited.  The correct answer to this is to set a specific deny right for the bypass auditing permission which is inherited for all domain admins as they are granted the Extended Rights permission.

I did that and it works perfectly!
0
 
thepunish3rAuthor Commented:
The only answer I received did not provide an answer, it was a statement about the permissions that the team members have.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now