I have an Exchange 2007 SP2 server on Windows 2008 Enterprise (NOT R2). As mailbox auditing is enabled at the "Lowest" setting by default, I set this to Medium per the article from MSExchange.org. Specifically Under MSExchange --> Private --> IS properties I set the Folder Access to Medium and the Message Access to Low. NOTE: I tried setting both to Medium but there is a "new" tech that has reverted this to "LOW" and they have also intermittently changed the Folder Access to Low as well. This has become a struggle as I believe this new tech is opening users mailboxes.
It appears by default that Domain Admins have the "ExtendedRights" permission which also allows them to bypass the audit policy. I verified this by creating a test mailbox and then opening it with my account using OWA. The entries that I opened the mailbox do NOT show up in the audit logs. I can't turn this policy up as the tech complains it fills the App log with "useless" data and thus it has become a struggle, but we know that it is because he is up to no good.
How can I set an implicit "deny" on bypass auditing for the domain admins group and all users?
Also, is Medium enough to pick up an event where User A opens User B's mailbox?
I have gone through ALL the MS articles and it appears that Level 3 - which is Medium should be sufficient, however I may have to lower this to the "LOW" setting to keep things happy right now in the group.
Is LOW going to show these details as well? I have Folder Access and Message access turned on, is there anything else to do to ensure that I can see this activity regardless of the client that is used whether it is outlook, OWA, etc?