Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Exchange 2007 SP2 - Mailbox Auditing - Domain Admins EXCLUDED

Posted on 2010-11-14
3
Medium Priority
?
920 Views
Last Modified: 2012-06-21
Hello,
I have an Exchange 2007 SP2 server on Windows 2008 Enterprise (NOT R2).  As mailbox auditing is enabled at the "Lowest" setting by default, I set this to Medium per the article from MSExchange.org.  Specifically Under MSExchange --> Private --> IS properties I set the Folder Access to Medium and the Message Access to Low.  NOTE:  I tried setting both to Medium but there is a "new" tech that has reverted this to "LOW" and they have also intermittently changed the Folder Access to Low as well.  This has become a struggle as I believe this new tech is opening users mailboxes.  
It appears by default that Domain Admins have the "ExtendedRights" permission which also allows them to bypass the audit policy.  I verified this by creating a test mailbox and then opening it with my account using OWA.  The entries that I opened the mailbox do NOT show up in the audit logs.  I can't turn this policy up as the tech complains it fills the App log with "useless" data and thus it has become a struggle, but we know that it is because he is up to no good.

How can I set an implicit "deny" on bypass auditing for the domain admins group and all users?  

Also, is Medium enough to pick up an event where User A opens User B's mailbox?  

I have gone through ALL the MS articles and it appears that Level 3 - which is Medium should be sufficient, however I may have to lower this to the "LOW" setting to keep things happy right now in the group.

Is LOW going to show these details as well?  I have Folder Access and Message access turned on, is there anything else to do to ensure that I can see this activity regardless of the client that is used whether it is outlook, OWA, etc?

0
Comment
Question by:thepunish3r
  • 2
3 Comments
 
LVL 27

Expert Comment

by:Steve
ID: 34131479
you're a bit stuck here as the user you want to restrict is a domain admin and has the same rights as you. anything you set can be undone by the other user.

0
 
LVL 3

Accepted Solution

by:
thepunish3r earned 0 total points
ID: 34168759
I am not worried about the domain admin changing the policy as that would be a red flag to everyone.  Right now I just want to enforce the policy for domain admins to be audited.  The correct answer to this is to set a specific deny right for the bypass auditing permission which is inherited for all domain admins as they are granted the Extended Rights permission.

I did that and it works perfectly!
0
 
LVL 3

Author Closing Comment

by:thepunish3r
ID: 34195093
The only answer I received did not provide an answer, it was a statement about the permissions that the team members have.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question