Solved

Mailboxes: Audit access and check non-default permissions

Posted on 2011-09-23
9
1,867 Views
Last Modified: 2012-06-27
Hello,

I would like to get some suggestion about monitoring non-owners access to user mailboxes on Exchange 2010 SP1.
In most cases only users (should) have access to their mailboxes and I want to monitor if some unauthorized configuration changes or mailbox access have occurred.
On the server I have enabled Set-AdminAuditLogConfig, so every configuration change should be logged.
But here I need two more things:
- From EMS I would like to get the list of mailboxes which has (non-default) additional users added with full-access permissions set. How should look the command?
- Get things logged when non-owner get access to mailbox and just opens/reads mail. I'm not sure this is possible as MessageBind is not applicable for delegates.
Any other idea?

Thank you!
0
Comment
Question by:davorin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
9 Comments
 
LVL 13

Expert Comment

by:Govvy
ID: 36589783
0
 
LVL 27

Author Comment

by:davorin
ID: 36590426
Govvy, thanks for comment, but I'm using Exchange 2010 SP1. Posted link is for Exchange 2007 SP2. Exchange 2010 have no audit logging at all. Exchange 2010 SP1 introduces new mailbox audit logging which is completely different from Exchange 2007 SP2.
0
 
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 500 total points
ID: 36898735
First of all, I'm not sure the reverse lookup is part of the built in system.  That said, I've never investigated it thoroughly so it may well be.

This script should do the trick for you though: http://www.stevieg.org/2010/12/report-exchange-mailboxes-group-members-full-access/

On top of this, you should be able to check delegate access and what they did using the examples here: http://exchangeserverpro.com/exchange-2010-mailbox-audit-logging

If this is no help then let me know and I will do sone tests when I am back in front of an Exchange server on Monday.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 27

Accepted Solution

by:
davorin earned 0 total points
ID: 36899143
Hi demazter,

The script looks very promising, but it would need some work - the part of workgroup I don't need.

Just yesterday I have found this link: http://www.howexchangeworks.com/2009/07/exchange-shell-finding-mailboxes-with.html  (Thanks to fresh EE member Morasiva).

But I needed to change the command a little bit  to:
Get-Mailbox | Get-MailboxPermission | Where-Object { ($_.AccessRights -eq "fullaccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "*nt authority\self*") } | select Identity, User

The original gave me no output ( with "*fullaccess*").
Only one little thing that bothers me - Identity gives sometimes too long output and the actual mailbox name is cut off. Other options like alias or displayname give me blank value...

For delegates you can check 10 different action, except MessageBind (An item is accessed in the reading pane or opened.). On the other side, it is logical that this is not logged for owner of delegates, because exchange would have to log a lot of information.
Some would like this option in case someone accesses their mailbox without authorization, they would like to know in what he/she was interested.
On your opinion, this can be done or I should focus just on configuration changes log and access permissions?

0
 
LVL 27

Author Comment

by:davorin
ID: 36938280
I guess the answer to the second part of my question is "not possible".
Demazter, thank you for your comment.   At least for the first part it could take me in the right direction.
0
 
LVL 27

Author Closing Comment

by:davorin
ID: 36967051
I'm closing this one as I don't expect any new comments. thx
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
Read this checklist to learn more about the 15 things you should never include in an email signature.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question