Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1916
  • Last Modified:

Mailboxes: Audit access and check non-default permissions

Hello,

I would like to get some suggestion about monitoring non-owners access to user mailboxes on Exchange 2010 SP1.
In most cases only users (should) have access to their mailboxes and I want to monitor if some unauthorized configuration changes or mailbox access have occurred.
On the server I have enabled Set-AdminAuditLogConfig, so every configuration change should be logged.
But here I need two more things:
- From EMS I would like to get the list of mailboxes which has (non-default) additional users added with full-access permissions set. How should look the command?
- Get things logged when non-owner get access to mailbox and just opens/reads mail. I'm not sure this is possible as MessageBind is not applicable for delegates.
Any other idea?

Thank you!
0
davorin
Asked:
davorin
  • 4
2 Solutions
 
davorinAuthor Commented:
Govvy, thanks for comment, but I'm using Exchange 2010 SP1. Posted link is for Exchange 2007 SP2. Exchange 2010 have no audit logging at all. Exchange 2010 SP1 introduces new mailbox audit logging which is completely different from Exchange 2007 SP2.
0
 
Glen KnightCommented:
First of all, I'm not sure the reverse lookup is part of the built in system.  That said, I've never investigated it thoroughly so it may well be.

This script should do the trick for you though: http://www.stevieg.org/2010/12/report-exchange-mailboxes-group-members-full-access/

On top of this, you should be able to check delegate access and what they did using the examples here: http://exchangeserverpro.com/exchange-2010-mailbox-audit-logging

If this is no help then let me know and I will do sone tests when I am back in front of an Exchange server on Monday.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
davorinAuthor Commented:
Hi demazter,

The script looks very promising, but it would need some work - the part of workgroup I don't need.

Just yesterday I have found this link: http://www.howexchangeworks.com/2009/07/exchange-shell-finding-mailboxes-with.html  (Thanks to fresh EE member Morasiva).

But I needed to change the command a little bit  to:
Get-Mailbox | Get-MailboxPermission | Where-Object { ($_.AccessRights -eq "fullaccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "*nt authority\self*") } | select Identity, User

The original gave me no output ( with "*fullaccess*").
Only one little thing that bothers me - Identity gives sometimes too long output and the actual mailbox name is cut off. Other options like alias or displayname give me blank value...

For delegates you can check 10 different action, except MessageBind (An item is accessed in the reading pane or opened.). On the other side, it is logical that this is not logged for owner of delegates, because exchange would have to log a lot of information.
Some would like this option in case someone accesses their mailbox without authorization, they would like to know in what he/she was interested.
On your opinion, this can be done or I should focus just on configuration changes log and access permissions?

0
 
davorinAuthor Commented:
I guess the answer to the second part of my question is "not possible".
Demazter, thank you for your comment.   At least for the first part it could take me in the right direction.
0
 
davorinAuthor Commented:
I'm closing this one as I don't expect any new comments. thx
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now