Hello everybody, I have the following situation in my Exchange 2007 SP3 organization: I need to find out when an administrator grants some user (or himself) Full Mailbox Access permissions over another user's mailbox. I think the logging functionality is turned on because in Diagnostic Logging of my CCR Virtual Server in EMC I have setup MSExchangeIS - 9000 Private - Access Control - Expert. (the server has been restarted several times so this setting shoud be applying). All Exchange servers are running Windows Server 2008 R2 SP1. But on the active node I can't find any event (searching the Applications and Services Logs - Exchange Auditing) when I did the test of granting myself that permission. On the passive node I have directly no events at all. Do I have to do something else to activate this kind of logging? which source and/or event id does it log? Thank you very much! Hernn.

i think it will not log anything until you access the mailbox, when granting the permission it will not log this action try access the mailbox and an event should be logged in the event viewer (event ID: 10100). if you want to track the permission changes maybe you will need an advance tool like FIM 2010.

On Wed, 21 Mar 2012 18:11:54 +0000, badracing wrote: >I have the following situation in my Exchange 2007 SP3 organization: > >I need to find out when an administrator grants some user (or himself) Full Mailbox Access permissions over another user's mailbox. That would be handled by AD auditing policies, not Exchange. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

There is no practical way to audit mailbox permissions changes natively for 2007. I say practically because although you can do windows attribute logging of the Msexchmailboxsecuritydescriptor you will probably find that it's not sufficient. You can run some PS scripts to take snapshots of the permissions to see what was changed but again that won't show you who changed them. For 2007 you need to look into third party auditing software. For 2010 you can audit the cmdlets so you can audit who ran add-mailboxpermission against which mailbox http://social.technet.microsoft.com/Forums/en-US/exchangesvrcompliance/thread/c7537642-fdf4-451b-b1ad-09e9ffc2d130James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Rich, You are right. I'm seeing 566 events logged on one of our DCs when I edit the Full Access Mailbox permissions. Now, I'll try to create a PS script that sends an email if one of this events with some specific text is logged on the security log. Thank you Rich and Naser