Link to home
Start Free TrialLog in
Avatar of thepunish3r
thepunish3rFlag for Afghanistan

asked on

Exchange 2007 SP2 - Mailbox Auditing - Domain Admins EXCLUDED

Hello,
I have an Exchange 2007 SP2 server on Windows 2008 Enterprise (NOT R2).  As mailbox auditing is enabled at the "Lowest" setting by default, I set this to Medium per the article from MSExchange.org.  Specifically Under MSExchange --> Private --> IS properties I set the Folder Access to Medium and the Message Access to Low.  NOTE:  I tried setting both to Medium but there is a "new" tech that has reverted this to "LOW" and they have also intermittently changed the Folder Access to Low as well.  This has become a struggle as I believe this new tech is opening users mailboxes.  
It appears by default that Domain Admins have the "ExtendedRights" permission which also allows them to bypass the audit policy.  I verified this by creating a test mailbox and then opening it with my account using OWA.  The entries that I opened the mailbox do NOT show up in the audit logs.  I can't turn this policy up as the tech complains it fills the App log with "useless" data and thus it has become a struggle, but we know that it is because he is up to no good.

How can I set an implicit "deny" on bypass auditing for the domain admins group and all users?  

Also, is Medium enough to pick up an event where User A opens User B's mailbox?  

I have gone through ALL the MS articles and it appears that Level 3 - which is Medium should be sufficient, however I may have to lower this to the "LOW" setting to keep things happy right now in the group.

Is LOW going to show these details as well?  I have Folder Access and Message access turned on, is there anything else to do to ensure that I can see this activity regardless of the client that is used whether it is outlook, OWA, etc?

Avatar of Steve
Steve
Flag of United Kingdom of Great Britain and Northern Ireland image

you're a bit stuck here as the user you want to restrict is a domain admin and has the same rights as you. anything you set can be undone by the other user.

ASKER CERTIFIED SOLUTION
Avatar of thepunish3r
thepunish3r
Flag of Afghanistan image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of thepunish3r

ASKER

The only answer I received did not provide an answer, it was a statement about the permissions that the team members have.