audit mailbox access exchange 2007
Hi , Can we do audit mailbox access in exchange 2007. All what I want is to see who has been accessed the perticular mailbax . Regards , PKOK
August 7th, 2007 4:19am

Set-EventLogLevel "MSExchangeIS\9000 Private\Logons" -Level Low then you will see AuditEvents in Application log.
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2007 10:39am

Hi Lasse, Thanks for the solution. I have enabled that today. So I will check the mail box access details in Application log incouple of days. I have another question regarding Windows 2003 certificate services . which forum do I need to use. Cheers , PKOK
August 8th, 2007 2:24am

I have a few questions conserning this. my first is where are these logs stored. my second is if I do raise the logging level to high how much data is going to be stored (as in will i have to dedicate aditional storage to this???) any help would be welcome.
Free Windows Admin Tool Kit Click here and download it now
February 13th, 2008 12:28pm

I would like to be able to see if anyone is opening other users mailbox. I am new at this and the owners of the company want this ability to see who is snooping around. Where do I run this command?
February 25th, 2008 2:33pm

Hi, You run the command from an exchange 2007 command shell. Leif
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2008 4:21pm

Hi, These events are stored in the event logs - there is no need for additional storage if you configure the event log with a size limit - it will just start all over when its full. Leif
February 25th, 2008 4:23pm

Hi, Thanks for your command. It means that you will get audit event access for all the mailboxe of the Exchange Organization. Is there any other workaround or solution if I want to get only audit events for only one mailbox? regards Richard
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2009 5:55pm

Any type of access in particular? I know NetWrix Non-owner Mailbox Access Reporter monitors when administrators or other users have gained access to another user’s mailbox. And it’s free.
January 10th, 2011 11:26am

This is an old thread :) But anyway, Microsoft has, in the meantime, added some better auditing functionality in Service Pack 2 (SP3 has also since come out and also includes the features.) See http://msexchangeteam.com/archive/2009/09/03/452310.aspx
Free Windows Admin Tool Kit Click here and download it now
January 10th, 2011 4:47pm

I am dealing with a very serious issue and want to be 110% correct (actually I hope I am wrong). What I am trying to prove\disprove is if a admin used their administrative access privledges to view calendars without the knowledge or consent of the owners. I have checked delegate assignments and he has not been granted rights to these calendars. I dont have the actual event log entry but I have the exported CSV version listed below. We are running Exchange 2007 SP3. I have changed user names and tried to sanitize the log to protect the innocent. The person in question claims he is innocent and is not abusing his admin privedges. Tried to track down what the event 10100 & 10102 means but cannot get any real proof. He also is questioning the logs themselves which were done by our internal compliance team. I really dont want to escalate this because if it does it can result in disciplinary action. We want to keep it in our department and just want to warn him. Can you advise me. 1/19/2011 8:25:30 PM MSExchangeIS Auditing Information Mailbox Acces s Auditing 10100 N/A SERVERXXXX The folder /Calendar in Mailbox ''User Name'' was opened by user XXXXHQ\adminID 1/19/2011 8:25:30 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B9131E@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:30 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <73284C20E0FFA04CB101A78D070D595115573271D2@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91299@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B9129A@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B9129B@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91368@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91375@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91376@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91379@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B9137A@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID
January 22nd, 2011 1:22pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics