Solved

Exchange 2007 SP2 - Mailbox Auditing - Domain Admins EXCLUDED

Posted on 2010-11-14
3
915 Views
Last Modified: 2012-06-21
Hello,
I have an Exchange 2007 SP2 server on Windows 2008 Enterprise (NOT R2).  As mailbox auditing is enabled at the "Lowest" setting by default, I set this to Medium per the article from MSExchange.org.  Specifically Under MSExchange --> Private --> IS properties I set the Folder Access to Medium and the Message Access to Low.  NOTE:  I tried setting both to Medium but there is a "new" tech that has reverted this to "LOW" and they have also intermittently changed the Folder Access to Low as well.  This has become a struggle as I believe this new tech is opening users mailboxes.  
It appears by default that Domain Admins have the "ExtendedRights" permission which also allows them to bypass the audit policy.  I verified this by creating a test mailbox and then opening it with my account using OWA.  The entries that I opened the mailbox do NOT show up in the audit logs.  I can't turn this policy up as the tech complains it fills the App log with "useless" data and thus it has become a struggle, but we know that it is because he is up to no good.

How can I set an implicit "deny" on bypass auditing for the domain admins group and all users?  

Also, is Medium enough to pick up an event where User A opens User B's mailbox?  

I have gone through ALL the MS articles and it appears that Level 3 - which is Medium should be sufficient, however I may have to lower this to the "LOW" setting to keep things happy right now in the group.

Is LOW going to show these details as well?  I have Folder Access and Message access turned on, is there anything else to do to ensure that I can see this activity regardless of the client that is used whether it is outlook, OWA, etc?

0
Comment
Question by:thepunish3r
  • 2
3 Comments
 
LVL 27

Expert Comment

by:Steve
ID: 34131479
you're a bit stuck here as the user you want to restrict is a domain admin and has the same rights as you. anything you set can be undone by the other user.

0
 
LVL 3

Accepted Solution

by:
thepunish3r earned 0 total points
ID: 34168759
I am not worried about the domain admin changing the policy as that would be a red flag to everyone.  Right now I just want to enforce the policy for domain admins to be audited.  The correct answer to this is to set a specific deny right for the bypass auditing permission which is inherited for all domain admins as they are granted the Extended Rights permission.

I did that and it works perfectly!
0
 
LVL 3

Author Closing Comment

by:thepunish3r
ID: 34195093
The only answer I received did not provide an answer, it was a statement about the permissions that the team members have.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video discusses moving either the default database or any database to a new volume.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question