Solved

SEND AS Auditing - Exchange 2007

Posted on 2015-01-09
5
158 Views
Last Modified: 2015-01-12
Set logging level to Expert for SEND AS on my exchange mailbox servers.

Idea is that we need to be able to log whenever a user does a SEND AS operation from a shared mailbox to which they have access, in case we ever need to trace the email sent.

Anyway, following server reboot, it works but:-

1) Its in the application event log - I would have expected the Exchange Audting event log?
2) Most of the entries say /cn="username" sent a message as /cn=Microsoft private mdb. What is that and how do I determine which mailbox the email was sent from?
0
Comment
Question by:paul williams
  • 2
  • 2
5 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40541677
You need to enable auditing for Extended Send As and not Send As for what you want to achieve. Also, there is no need to restart the server when you change the auditing level, just restart the Microsoft Exchange Information Store service.

Once you've enabled Extended Send As auditing, you should start seeing entries for Event ID 10106 in the Exchange Auditing log when an email is sent from another user. The fact that you enabled Send As auditing and not Extended Send As auditing may explain why you're experiencing the above.

Here's what a sample Send As audit log entry looks like:

Log name: Exchange Auditing
Source: MSExchangeIS Auditing
Date: <date>
Event ID: 10106
Task Category: Send As
Level: Information
Keywords: Classic
Description: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserB sent a message as /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserA
Message Id: <BA15978123F9C848B820A8C5C1DC29B5038E9D50@Server.Contoso.com>
Mailbox: UserB
Account Name: CONTOSO\UserB
Accessing User: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserB
Mailbox:<NULL>
Administrative Rights: false
Identifier: 00000000317A7130
Client Information (if Available)
Machine Name: <ClientName>
Address: <IP Address>
Process Name: OUTLOOK.EXE
Process Id: 0
Application Id: N/A

Open in new window

Have a look at the Extended Send As Auditing section in this link for more information: http://technet.microsoft.com/en-us/library/ee221156(v=exchg.80).aspx
0
 
LVL 36

Expert Comment

by:Jian An Lim
ID: 40543484
In theory, it works ok, but in management, it is very painful because of the logs and information overload.
If you can't survive the painful process, upgrade to the latest exchange as it has better audit tracking ability.
0
 

Author Comment

by:paul williams
ID: 40544050
Thanks. Bit confusing that you need to enable extended send as and not just send as.

So what does send as do then?

Our exchange servers get rebooted overnight anyway which solves this problem.
0
 

Author Comment

by:paul williams
ID: 40544051
But yes we are evenually upgrading as well.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40544100
Thanks. Bit confusing that you need to enable extended send as and not just send as.

So what does send as do then?
Can't really tell you to be honest as all of Microsoft's documentation along with other articles from reputable websites state to use Extended Send As auditing.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now