Establishing mailbox audit trails on Microsoft Exchange Server

"How do I establish audit trails on access to certain Exchange 2003 mailboxes? I want to be able to see if permissions change on a mailbox, or if administration staff is accessing the mailbox itself."

As you allude to in your question, it takes a change in permission to get access to a mailbox. Per Microsoft, administrators are explicitly denied access to all mailboxes except their own on Exchange 2000 and 2003. You should watch out for non-administrator accounts.

Mailbox permissions are stored in Active Directory, so the audit needs to be performed on a domain controller, not an Exchange server.

By default Audit account management is enabled on the Default domain controller's group policy for both Success and Failure events. Event 642 is generated when a user account is changed. Event 668 is generated when a group object is changed.

You might also want to enable Audit object access on the Default domain controller's group policy object. Then you can enable auditing on the user/mailbox objects themselves.

Auditing of users/mailboxes is configured under the Advanced security settings for the user object. A good object access for you to audit would be the successful and failed Modify permissions access.

Exchange also does some auditing of its own. If someone accesses a mailbox, and they are not the primary NT account, Event 1016 will be generated in the application log. See: How to monitor mailbox access by auditing or by viewing Mailbox Resources in Exchange Server.

To defend against these actions, you should understand how permissions would need to be changed in the first place. Read: How to assign service account access to all mailboxes in Exchange Server 2003.

Do you have comments on this tip? Let us know.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft Exchange Server Monitoring and Logging Analyzing Exchange ActiveSync data from .CSV report files Top Exchange Server performance monitoring and troubleshooting tools Extracting Exchange ActiveSync data from IIS log files How effective is tracking the IP address of an email hacker? Error message: 'ID no: 8004100e Exchange System Manager' How to generate HTML reports with the Exchange Management Shell (EMS) IMAP list command only returns a list of Exchange public folders A network connection problem or an offline server prevented delivery of the message Monitor and search Exchange mailboxes for music and video files How much bandwidth is required to send email in Exchange 2003? Microsoft Exchange Server Permissions Restrict access to Outlook Web Access via Exchange System Manager Why you should secure Exchange 2007 using administrative policies Editing Exchange Server public folder permissions Can't delete old Microsoft Outlook public folders Why can't I grant users permissions to an Exchange public folder? Exchange public folder calendar can't be opened in Microsoft Outlook Grant or deny permissions to access a user's Exchange 2007 mailbox Set Outlook calendar permissions for group to view private meetings Exchange Admin 101: Exchange 2003 and Exchange 2007 admin privileges Selectively set email permissions for Exchange groups Microsoft Exchange Server and Active Directory Top 10 Microsoft Exchange Server tips of 2008 Deployment tool errors during a migration from Exchange 5.5 to Exchange 2003 Can't create mailboxes after virtualizing Microsoft Exchange Server Tools to bulk modify Active Directory users in Exchange Server 2003 Email sent to a PDA doesn't get saved in Exchange Server mailbox How to verify Exchange Server email forwarding Remove Exchange 2007 public folder stores from a Mailbox Server role A network connection problem or an offline server prevented delivery of the message Create Exchange user and mailbox accounts on a Windows 2000 PDC Error 1053: Exchange System Attendant service could not start Microsoft Exchange Server and Active Directory Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary privilege  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.