Solved

Mailboxes: Audit access and check non-default permissions

Posted on 2011-09-23
9
1,857 Views
Last Modified: 2012-06-27
Hello,

I would like to get some suggestion about monitoring non-owners access to user mailboxes on Exchange 2010 SP1.
In most cases only users (should) have access to their mailboxes and I want to monitor if some unauthorized configuration changes or mailbox access have occurred.
On the server I have enabled Set-AdminAuditLogConfig, so every configuration change should be logged.
But here I need two more things:
- From EMS I would like to get the list of mailboxes which has (non-default) additional users added with full-access permissions set. How should look the command?
- Get things logged when non-owner get access to mailbox and just opens/reads mail. I'm not sure this is possible as MessageBind is not applicable for delegates.
Any other idea?

Thank you!
0
Comment
Question by:davorin
  • 4
9 Comments
 
LVL 13

Expert Comment

by:Govvy
ID: 36589783
0
 
LVL 27

Author Comment

by:davorin
ID: 36590426
Govvy, thanks for comment, but I'm using Exchange 2010 SP1. Posted link is for Exchange 2007 SP2. Exchange 2010 have no audit logging at all. Exchange 2010 SP1 introduces new mailbox audit logging which is completely different from Exchange 2007 SP2.
0
 
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 500 total points
ID: 36898735
First of all, I'm not sure the reverse lookup is part of the built in system.  That said, I've never investigated it thoroughly so it may well be.

This script should do the trick for you though: http://www.stevieg.org/2010/12/report-exchange-mailboxes-group-members-full-access/

On top of this, you should be able to check delegate access and what they did using the examples here: http://exchangeserverpro.com/exchange-2010-mailbox-audit-logging

If this is no help then let me know and I will do sone tests when I am back in front of an Exchange server on Monday.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 27

Accepted Solution

by:
davorin earned 0 total points
ID: 36899143
Hi demazter,

The script looks very promising, but it would need some work - the part of workgroup I don't need.

Just yesterday I have found this link: http://www.howexchangeworks.com/2009/07/exchange-shell-finding-mailboxes-with.html  (Thanks to fresh EE member Morasiva).

But I needed to change the command a little bit  to:
Get-Mailbox | Get-MailboxPermission | Where-Object { ($_.AccessRights -eq "fullaccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "*nt authority\self*") } | select Identity, User

The original gave me no output ( with "*fullaccess*").
Only one little thing that bothers me - Identity gives sometimes too long output and the actual mailbox name is cut off. Other options like alias or displayname give me blank value...

For delegates you can check 10 different action, except MessageBind (An item is accessed in the reading pane or opened.). On the other side, it is logical that this is not logged for owner of delegates, because exchange would have to log a lot of information.
Some would like this option in case someone accesses their mailbox without authorization, they would like to know in what he/she was interested.
On your opinion, this can be done or I should focus just on configuration changes log and access permissions?

0
 
LVL 27

Author Comment

by:davorin
ID: 36938280
I guess the answer to the second part of my question is "not possible".
Demazter, thank you for your comment.   At least for the first part it could take me in the right direction.
0
 
LVL 27

Author Closing Comment

by:davorin
ID: 36967051
I'm closing this one as I don't expect any new comments. thx
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question