Pau Lo
asked on
tracking logs for shared mailbox
Is it possible with 2010 exchange tracking logs to prove the following
We have a mailbox which has been made accesible in terms of permissions so a number of users havve access and control over the mailbox. We need to prove which of those users has sent/forwarded information from that mailbox elsewhere. Can the logs prove who did these actions? Or will they just show the mailbox itself sent/forwarded them on?
We have a mailbox which has been made accesible in terms of permissions so a number of users havve access and control over the mailbox. We need to prove which of those users has sent/forwarded information from that mailbox elsewhere. Can the logs prove who did these actions? Or will they just show the mailbox itself sent/forwarded them on?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
tigermat is correct in saying that messagetracking is hit and miss, which is why I listed it last.
In an example where I work, a user sent an email from a shared mailbox. The user was located on a terminal server with 40 other users. So the source IP was useless. However, if the user was on a desktop, a reverse lookup on the IP can easily identify the culprit.
Also, the users have full access permissions to the mailbox and have the mailbox open within outlook, in this case, the user in effect actually sent the item from the shared mailbox so the sent item was not located in their own sent items.
Whereas, if a user doesn't have full access and simply uses the drop down on the from field to "Send As", the email may well go into their own sent items as well. This is where the Search-Mailbox feature I mentioned becomes useful.
You've fallen into the age old dilemma of "who dunnit?" we all land up in at some time... Hence, I now always enable auditing on shared mailboxes.
Good luck!
In an example where I work, a user sent an email from a shared mailbox. The user was located on a terminal server with 40 other users. So the source IP was useless. However, if the user was on a desktop, a reverse lookup on the IP can easily identify the culprit.
Also, the users have full access permissions to the mailbox and have the mailbox open within outlook, in this case, the user in effect actually sent the item from the shared mailbox so the sent item was not located in their own sent items.
Whereas, if a user doesn't have full access and simply uses the drop down on the from field to "Send As", the email may well go into their own sent items as well. This is where the Search-Mailbox feature I mentioned becomes useful.
You've fallen into the age old dilemma of "who dunnit?" we all land up in at some time... Hence, I now always enable auditing on shared mailboxes.
Good luck!
You've fallen into the age old dilemma of "who dunnit?" we all land up in at some time... Hence, I now always enable auditing on shared mailboxes.Great advice from Guy for future reference.
*tigermatt goes to double-check shared mailbox auditing is enabled...* :-)
ASKER
I did notice on the tracking logs, in the custom-data field, the logs show the sender address as the named indivudal, whereas the puported sender shows the shared mailbox name, which is interesting..
ASKER
i.e. sender-address says user A, whereas in the custom data column shows S:PurportedSender=sharedma
You're lucky on that one...
The Purported sender is the alleged sender... i.e. who the "from" will be on the receiving end. As you can se ethe transport logs have noted the actual sender. This is not always the case though...
If a user has full access to a shared mailbox,has the mailbox open in Outlook, Selects the mailbox and then sends an email the from field will automatically be prepopulated with the Shared Mailbox and the logs will see it as sent directly from the shared mailbox. In this case, the sender will be the shared mailbox and there will be no purportedSender in the custom-data field.
Hit and miss as it were....
The Purported sender is the alleged sender... i.e. who the "from" will be on the receiving end. As you can se ethe transport logs have noted the actual sender. This is not always the case though...
If a user has full access to a shared mailbox,has the mailbox open in Outlook, Selects the mailbox and then sends an email the from field will automatically be prepopulated with the Shared Mailbox and the logs will see it as sent directly from the shared mailbox. In this case, the sender will be the shared mailbox and there will be no purportedSender in the custom-data field.
Hit and miss as it were....
ASKER
Thanks for your help and pointers..
ASKER