Full Access Permissions to a mailbox

Dear Experts

Please can someone assist me.

I have an Exchange 2010 Server and I suspect that one of the admins maybe granting themselves access to certain mailboxes in order to gain access to sensitive information.

I have search the event log and cannot find anything.

Is there anywhere else that I can check?

Could they be doing it and clearing the log entry?

These are the settings for my admin log:


RunspaceId                   : ed1f32ef-cc3e-46ae-a6cc-ffb75876298a
AdminAuditLogEnabled         : True
TestCmdletLoggingEnabled     : False
AdminAuditLogCmdlets         : {*}
AdminAuditLogParameters      : {*}
AdminAuditLogExcludedCmdlets : {}
AdminAuditLogAgeLimit        : 90.00:00:00
AdminDisplayName             :
ExchangeVersion              : 0.10 (14.0.100.0)
Name                         : Admin Audit Log Settings
DistinguishedName            : CN=Admin Audit Log Settings,CN=Global Settings,CN=exchange,CN=Microsoft Exchange,CN=Serv
                               ices,CN=Configuration,DC=mycomp,DC=COM
Identity                     : Admin Audit Log Settings
Guid                         : e9e9e020-6ba4-4de3-ae50-fcec5e4dde14
ObjectCategory               : mycomp.COM/Configuration/Schema/ms-Exch-Admin-Audit-Log-Config
ObjectClass                  : {top, msExchAdminAuditLogConfig}
WhenChanged                  : 3/18/2014 4:27:34 PM
WhenCreated                  : 9/19/2012 9:57:21 AM
WhenChangedUTC               : 3/18/2014 2:27:34 PM
WhenCreatedUTC               : 9/19/2012 7:57:21 AM
OrganizationId               :
OriginatingServer            : mycompfs02.mycomp.COM
IsValid                      : True
TTAF4Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Phillip MonkIT ManagerCommented:
PowerShell to the rescue:

Get-Mailbox -Server "<servername>"  -resultsize "Unlimited" | Get-MailboxPermission | where { ($_.AccessRights -eq "FullAccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") } | ft @{Name="Identity";expression={($_.Identity -split "/")[-1]}}, User -AutoSize

From Technet:
https://social.technet.microsoft.com/Forums/ie/en-US/a9cd79ff-eda6-4527-af25-e50149e2242c/list-all-users-accounts-that-have-full-access-permissions-to-mailboxes?forum=exchange2010
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SeanSystem EngineerCommented:
You can also look at the admin console on exchange. Open the user's mailbox you think the admin is giving themselves access to and see who has permission to that mailbox.

In the console tree, navigate to Recipient Configuration > Mailbox.
In the result pane, select the mailbox for which you want to grant Full Access permission.
In the action pane, under the mailbox name, click Manage Full Access Permission.
1
TTAF4Author Commented:
@Phillip - Thank you for the response and suggestion. The command works nicely but it only shows those users that currently have access to other mailboxes. We suspect an admin might be giving himself permissions, viewing the email and then removing them afterwards.
0
Phillip MonkIT ManagerCommented:
You will need to enable the Admin Audit Log.
Open the Exchange Management Shell, and run the following cmdlet:
Set-AdminAuditLogConfig – AdminAuditLogEnabled $true

After you've enabled logging,  you should find the action (the next time permissions change) in the Event Log:
Run eventvwr.msc → Applications and Services Logs → MSExchange Management → search for log with cmdlet “Add(Remove)-MailboxPermission” – where you can find who changed mailbox permissions, when it happened, to what mailbox and what kind of access was given.

Or  (Again PowerShell)

Search-AdminAuditLog –cmdlets Add(Remove)-MailboxPermission
1
Phillip MonkIT ManagerCommented:
Closed
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.