Logging Mailbox Permission Changes
Hello Guy's,
We are running an Exchange 2007 SP2, and we want to log Every Change of Mailbox Permissions.
So that we can prove, nobody of the IT department has access a Mailbox of a User without permission.
The first thing now is to setup a manipulation free Logging, furthers thers maybe the need to setup a External Log collection Server, wich is not accessible by our IT department.
But First of all i need to setup the logging, and i didn't find good Information on this so far. Maybe someone can help me out?
First of all, as far as i understand there are 3 Types of permissions on an Exchange Mailbox:
1.) The User Permissions, wich i can be change directly in Outlook, by default only the owner of the Mailbox can change them, so i think there is now logging needed (even not possible?)
2.) Active Directory permissions (add-adpermissions), these can be set the Server Object, the Storage Group, and the Mailbox store.
Maybe for the Mailbox?
These ones could be logged on the Domain Controller, i guess.
3.) But as far as i understand, there are also Mailbox specific permissions, (add-mailboxpermission) wich are stored in the Mailbox Database itself (If you use the "Manage full Acces Permissions")? Ist this Correct?
Is there a way to log this Changes?
At this time i don't want to log all Mailbox Access wich if seen is possible with debugg logging.
thanks for your Help
regards
Stefan
March 15th, 2012 8:52am
There is no practical way to audit permissions changes natively for 2007. I say practically because although you can do windows attribute logging of the Msexchmailboxsecuritydescriptor you will probably find that it's not sufficient. You can run some PS
scripts to take snapshots of the permissions to see what was changed but again that won't show you who changed them. For 2007 you need to look into third party auditing software. For 2010 you can audit the cmdlets so you can audit who ran add-mailboxpermission
against which mailbox etc.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2012 2:00pm
There is no practical way to audit permissions changes natively for 2007. I say practically because although you can do windows attribute logging of the Msexchmailboxsecuritydescriptor you will probably find that it's not sufficient. You can run some PS
scripts to take snapshots of the permissions to see what was changed but again that won't show you who changed them. For 2007 you need to look into third party auditing software. For 2010 you can audit the cmdlets so you can audit who ran add-mailboxpermission
against which mailbox etc.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
March 15th, 2012 8:52pm
Hi Stefan,
In Exchange 2007 you can use other third-party products or follow James-Luo's suggestion (trun on auditing for the Msexchmailboxsecuritydescriptor) in this thread.
Exchange 2007 audit of add-MailboxPermission
http://social.technet.microsoft.com/Forums/en-US/exchangesvrcompliance/thread/c7537642-fdf4-451b-b1ad-09e9ffc2d130
Thanks,
EvanEvan Liu
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2012 4:56am
Hi Stefan,
In Exchange 2007 you can use other third-party products or follow James-Luo's suggestion (trun on auditing for the Msexchmailboxsecuritydescriptor) in this thread.
Exchange 2007 audit of add-MailboxPermission
http://social.technet.microsoft.com/Forums/en-US/exchangesvrcompliance/thread/c7537642-fdf4-451b-b1ad-09e9ffc2d130
Thanks,
EvanEvan Liu
TechNet Community Support
March 19th, 2012 11:53am