Audit Mailbox Access (Network Steve Forum)

Audit Mailbox Access

Hi,

Exchange 2010/2013

I need to know how to enable event log to track mailbox access success/failure by not owner user.

I don't need if delegated user send mail, delete mail and soon but only but only whether or not acceess to other mailboxes.

I know the command set-mailbox -auditenabled $true and search-mailboxAuditLog but I need an event ID item.

Thanks a lot.

Mauro

June 22nd, 2015 10:23am

If you run this command you can check the logs generated:

Get-Mailbox "User" | Format-List *audit*

Free Windows Admin Tool Kit Click here and download it now

June 22nd, 2015 1:02pm

Hi Mauro,

Just want to let you know that we can accomplish this task through GUI.

Go to ECP-> Click Compliance Management-> Select Auditing TAB-> Then Click Run a non-owner Mailbox Access Report.

Hope above helps you.

Regards,

Joby

Proposed as answer by Ed (DareDevil57)Microsoft community contributor, Moderator 13 hours 54 minutes ago

June 22nd, 2015 1:31pm

Hi Mauro,

Just want to let you know that we can accomplish this task through GUI.

Go to ECP-> Click Compliance Management-> Select Auditing TAB-> Then Click Run a non-owner Mailbox Access Report.

Hope above helps you.

Regards,

Joby

Proposed as answer by Ed (DareDevil57)Microsoft community contributor, Moderator Monday, June 22, 2015 5:32 PM
Marked as answer by Winnie LiangMicrosoft contingent staff, Moderator Tuesday, June 30, 2015 2:10 AM

Free Windows Admin Tool Kit Click here and download it now

June 22nd, 2015 5:30pm

I hope, the above given PS command should work fine for you.

However, if you wish to get these reports automatically, Lepide non owner mailbox access auditing tool can also be a good alternative approach that collects the access logs into real-time and displays the detailed information - who have accessed which mailbox when and from where.

June 23rd, 2015 2:42am

Hi Mauro,

There is no Event ID for the delegate access (full access permission) to other mailbox in Exchange server.

We can only use the mailbox audit logging to log the no-owner mailbox access for a specific mailbox. Please refer to Joby's suggestion to search the logs in EAC. Alternatively, we can also search the mailbox audit logging with EMS:

Search-MailboxAuditLog -LogonTypes Delegate -StartDate 1/1/2015 -EndDate 6/30/2015

New-MailboxAuditLogSearch -LogonTypes Delegate -StartDate 1/1/2015 -EndDate 6/30/2015 -StatusMailRecipients administrator@cu1.com

Regards,

Free Windows Admin Tool Kit Click here and download it now

June 23rd, 2015 9:12am

Thanks to answer.

Is there no way to log an event id (for example 1016 "<user name> logged on to <mailbox name> mailbox, and is not the primary Windows 2000 account on this mailbox") to track user mailbox access ?

Thanks,

Mauro

June 30th, 2015 3:34am

This topic is archived. No further replies will be accepted.