Full Access Permissions to a mailbox

Dear Experts

Please can someone assist me.

I have an Exchange 2010 Server and I suspect that one of the admins maybe granting themselves access to certain mailboxes in order to gain access to sensitive information.

I have search the event log and cannot find anything.

Is there anywhere else that I can check?

Could they be doing it and clearing the log entry?

These are the settings for my admin log:


RunspaceId                   : ed1f32ef-cc3e-46ae-a6cc-ffb75876298a
AdminAuditLogEnabled         : True
TestCmdletLoggingEnabled     : False
AdminAuditLogCmdlets         : {*}
AdminAuditLogParameters      : {*}
AdminAuditLogExcludedCmdlets : {}
AdminAuditLogAgeLimit        : 90.00:00:00
AdminDisplayName             :
ExchangeVersion              : 0.10 (14.0.100.0)
Name                         : Admin Audit Log Settings
DistinguishedName            : CN=Admin Audit Log Settings,CN=Global Settings,CN=exchange,CN=Microsoft Exchange,CN=Serv
                               ices,CN=Configuration,DC=mycomp,DC=COM
Identity                     : Admin Audit Log Settings
Guid                         : e9e9e020-6ba4-4de3-ae50-fcec5e4dde14
ObjectCategory               : mycomp.COM/Configuration/Schema/ms-Exch-Admin-Audit-Log-Config
ObjectClass                  : {top, msExchAdminAuditLogConfig}
WhenChanged                  : 3/18/2014 4:27:34 PM
WhenCreated                  : 9/19/2012 9:57:21 AM
WhenChangedUTC               : 3/18/2014 2:27:34 PM
WhenCreatedUTC               : 9/19/2012 7:57:21 AM
OrganizationId               :
OriginatingServer            : mycompfs02.mycomp.COM
IsValid                      : True
TTAF4Asked:
Who is Participating?
 
Phillip MonkIT ManagerCommented:
PowerShell to the rescue:

Get-Mailbox -Server "<servername>"  -resultsize "Unlimited" | Get-MailboxPermission | where { ($_.AccessRights -eq "FullAccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") } | ft @{Name="Identity";expression={($_.Identity -split "/")[-1]}}, User -AutoSize

From Technet:
https://social.technet.microsoft.com/Forums/ie/en-US/a9cd79ff-eda6-4527-af25-e50149e2242c/list-all-users-accounts-that-have-full-access-permissions-to-mailboxes?forum=exchange2010
1
 
SeanSystem EngineerCommented:
You can also look at the admin console on exchange. Open the user's mailbox you think the admin is giving themselves access to and see who has permission to that mailbox.

In the console tree, navigate to Recipient Configuration > Mailbox.
In the result pane, select the mailbox for which you want to grant Full Access permission.
In the action pane, under the mailbox name, click Manage Full Access Permission.
1
 
TTAF4Author Commented:
@Phillip - Thank you for the response and suggestion. The command works nicely but it only shows those users that currently have access to other mailboxes. We suspect an admin might be giving himself permissions, viewing the email and then removing them afterwards.
0
 
Phillip MonkIT ManagerCommented:
You will need to enable the Admin Audit Log.
Open the Exchange Management Shell, and run the following cmdlet:
Set-AdminAuditLogConfig – AdminAuditLogEnabled $true

After you've enabled logging,  you should find the action (the next time permissions change) in the Event Log:
Run eventvwr.msc → Applications and Services Logs → MSExchange Management → search for log with cmdlet “Add(Remove)-MailboxPermission” – where you can find who changed mailbox permissions, when it happened, to what mailbox and what kind of access was given.

Or  (Again PowerShell)

Search-AdminAuditLog –cmdlets Add(Remove)-MailboxPermission
1
 
Phillip MonkIT ManagerCommented:
Closed
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.