Improve company productivity with a Business Account.Sign Up

x
?
Solved

SEND AS Auditing - Exchange 2007

Posted on 2015-01-09
5
Medium Priority
?
183 Views
Last Modified: 2015-01-12
Set logging level to Expert for SEND AS on my exchange mailbox servers.

Idea is that we need to be able to log whenever a user does a SEND AS operation from a shared mailbox to which they have access, in case we ever need to trace the email sent.

Anyway, following server reboot, it works but:-

1) Its in the application event log - I would have expected the Exchange Audting event log?
2) Most of the entries say /cn="username" sent a message as /cn=Microsoft private mdb. What is that and how do I determine which mailbox the email was sent from?
0
Comment
Question by:paul williams
  • 2
  • 2
5 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 2000 total points
ID: 40541677
You need to enable auditing for Extended Send As and not Send As for what you want to achieve. Also, there is no need to restart the server when you change the auditing level, just restart the Microsoft Exchange Information Store service.

Once you've enabled Extended Send As auditing, you should start seeing entries for Event ID 10106 in the Exchange Auditing log when an email is sent from another user. The fact that you enabled Send As auditing and not Extended Send As auditing may explain why you're experiencing the above.

Here's what a sample Send As audit log entry looks like:

Log name: Exchange Auditing
Source: MSExchangeIS Auditing
Date: <date>
Event ID: 10106
Task Category: Send As
Level: Information
Keywords: Classic
Description: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserB sent a message as /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserA
Message Id: <BA15978123F9C848B820A8C5C1DC29B5038E9D50@Server.Contoso.com>
Mailbox: UserB
Account Name: CONTOSO\UserB
Accessing User: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserB
Mailbox:<NULL>
Administrative Rights: false
Identifier: 00000000317A7130
Client Information (if Available)
Machine Name: <ClientName>
Address: <IP Address>
Process Name: OUTLOOK.EXE
Process Id: 0
Application Id: N/A

Open in new window

Have a look at the Extended Send As Auditing section in this link for more information: http://technet.microsoft.com/en-us/library/ee221156(v=exchg.80).aspx
0
 
LVL 38

Expert Comment

by:Jian An Lim
ID: 40543484
In theory, it works ok, but in management, it is very painful because of the logs and information overload.
If you can't survive the painful process, upgrade to the latest exchange as it has better audit tracking ability.
0
 

Author Comment

by:paul williams
ID: 40544050
Thanks. Bit confusing that you need to enable extended send as and not just send as.

So what does send as do then?

Our exchange servers get rebooted overnight anyway which solves this problem.
0
 

Author Comment

by:paul williams
ID: 40544051
But yes we are evenually upgrading as well.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40544100
Thanks. Bit confusing that you need to enable extended send as and not just send as.

So what does send as do then?
Can't really tell you to be honest as all of Microsoft's documentation along with other articles from reputable websites state to use Extended Send As auditing.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article involves a discussion about issues people have when it comes to Client Access in relating to Load Balancing in an Exchange environment which we had ourselves, along with a solution I found to the problem.
What is Archiving? Archiving in Exchange Online (called In-Place Archiving) provides users with additional mailbox storage space.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question