Solved

Exchange 2007 SP2 - Mailbox Auditing - Domain Admins EXCLUDED

Posted on 2010-11-14
3
913 Views
Last Modified: 2012-06-21
Hello,
I have an Exchange 2007 SP2 server on Windows 2008 Enterprise (NOT R2).  As mailbox auditing is enabled at the "Lowest" setting by default, I set this to Medium per the article from MSExchange.org.  Specifically Under MSExchange --> Private --> IS properties I set the Folder Access to Medium and the Message Access to Low.  NOTE:  I tried setting both to Medium but there is a "new" tech that has reverted this to "LOW" and they have also intermittently changed the Folder Access to Low as well.  This has become a struggle as I believe this new tech is opening users mailboxes.  
It appears by default that Domain Admins have the "ExtendedRights" permission which also allows them to bypass the audit policy.  I verified this by creating a test mailbox and then opening it with my account using OWA.  The entries that I opened the mailbox do NOT show up in the audit logs.  I can't turn this policy up as the tech complains it fills the App log with "useless" data and thus it has become a struggle, but we know that it is because he is up to no good.

How can I set an implicit "deny" on bypass auditing for the domain admins group and all users?  

Also, is Medium enough to pick up an event where User A opens User B's mailbox?  

I have gone through ALL the MS articles and it appears that Level 3 - which is Medium should be sufficient, however I may have to lower this to the "LOW" setting to keep things happy right now in the group.

Is LOW going to show these details as well?  I have Folder Access and Message access turned on, is there anything else to do to ensure that I can see this activity regardless of the client that is used whether it is outlook, OWA, etc?

0
Comment
Question by:thepunish3r
  • 2
3 Comments
 
LVL 27

Expert Comment

by:Steve
ID: 34131479
you're a bit stuck here as the user you want to restrict is a domain admin and has the same rights as you. anything you set can be undone by the other user.

0
 
LVL 3

Accepted Solution

by:
thepunish3r earned 0 total points
ID: 34168759
I am not worried about the domain admin changing the policy as that would be a red flag to everyone.  Right now I just want to enforce the policy for domain admins to be audited.  The correct answer to this is to set a specific deny right for the bypass auditing permission which is inherited for all domain admins as they are granted the Extended Rights permission.

I did that and it works perfectly!
0
 
LVL 3

Author Closing Comment

by:thepunish3r
ID: 34195093
The only answer I received did not provide an answer, it was a statement about the permissions that the team members have.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now