Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Mailboxes: Audit access and check non-default permissions

Posted on 2011-09-23
9
Medium Priority
?
1,901 Views
Last Modified: 2012-06-27
Hello,

I would like to get some suggestion about monitoring non-owners access to user mailboxes on Exchange 2010 SP1.
In most cases only users (should) have access to their mailboxes and I want to monitor if some unauthorized configuration changes or mailbox access have occurred.
On the server I have enabled Set-AdminAuditLogConfig, so every configuration change should be logged.
But here I need two more things:
- From EMS I would like to get the list of mailboxes which has (non-default) additional users added with full-access permissions set. How should look the command?
- Get things logged when non-owner get access to mailbox and just opens/reads mail. I'm not sure this is possible as MessageBind is not applicable for delegates.
Any other idea?

Thank you!
0
Comment
Question by:davorin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
9 Comments
 
LVL 27

Author Comment

by:davorin
ID: 36590426
Govvy, thanks for comment, but I'm using Exchange 2010 SP1. Posted link is for Exchange 2007 SP2. Exchange 2010 have no audit logging at all. Exchange 2010 SP1 introduces new mailbox audit logging which is completely different from Exchange 2007 SP2.
0
 
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 2000 total points
ID: 36898735
First of all, I'm not sure the reverse lookup is part of the built in system.  That said, I've never investigated it thoroughly so it may well be.

This script should do the trick for you though: http://www.stevieg.org/2010/12/report-exchange-mailboxes-group-members-full-access/

On top of this, you should be able to check delegate access and what they did using the examples here: http://exchangeserverpro.com/exchange-2010-mailbox-audit-logging

If this is no help then let me know and I will do sone tests when I am back in front of an Exchange server on Monday.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 27

Accepted Solution

by:
davorin earned 0 total points
ID: 36899143
Hi demazter,

The script looks very promising, but it would need some work - the part of workgroup I don't need.

Just yesterday I have found this link: http://www.howexchangeworks.com/2009/07/exchange-shell-finding-mailboxes-with.html  (Thanks to fresh EE member Morasiva).

But I needed to change the command a little bit  to:
Get-Mailbox | Get-MailboxPermission | Where-Object { ($_.AccessRights -eq "fullaccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "*nt authority\self*") } | select Identity, User

The original gave me no output ( with "*fullaccess*").
Only one little thing that bothers me - Identity gives sometimes too long output and the actual mailbox name is cut off. Other options like alias or displayname give me blank value...

For delegates you can check 10 different action, except MessageBind (An item is accessed in the reading pane or opened.). On the other side, it is logical that this is not logged for owner of delegates, because exchange would have to log a lot of information.
Some would like this option in case someone accesses their mailbox without authorization, they would like to know in what he/she was interested.
On your opinion, this can be done or I should focus just on configuration changes log and access permissions?

0
 
LVL 27

Author Comment

by:davorin
ID: 36938280
I guess the answer to the second part of my question is "not possible".
Demazter, thank you for your comment.   At least for the first part it could take me in the right direction.
0
 
LVL 27

Author Closing Comment

by:davorin
ID: 36967051
I'm closing this one as I don't expect any new comments. thx
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
New style of hardware planning for Microsoft Exchange server.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question