Mailbox Audit Log

Status
Not open for further replies.
J

J-H

Hi

I wanted to test auditing mailbox access in Exchange Server 2010 SP1.

I can see in the Audits folder that there are items in this folder.

However, if I try to create a report of the audit logs then nothing is returned.

Search-MailboxAuditLog and New-MailboxAuditLogSearch only returns when the mailbox was last accessed, but no additional information.

Is this function broken?

Regards

J-H

#

[PS] C:\Windows\system32>get-mailbox -Identity Mustermannm | fl audit*

AuditEnabled : True

AuditLogAgeLimit : 90.00:00:00

AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}

AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create}

AuditOwner : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete}

[PS] C:\Windows\system32>Get-MailboxFolderStatistics -Identity mustermannm -FolderScope RecoverableItems | where-object {$_.Name -eq " Audits" }

RunspaceId : b81f582f-9046-4bd3-9c93-6e08f32a3d74

Date : 11/7/2010 6:06:05 PM

Name : Audits

FolderPath : /Audits

FolderId : LgAAAAAmWe9pAjaQQItBzXMHwqd+AQDcqtMDoTyZTZVPuZ7ZY2/4AAACpjnJAAAB

FolderType : Audits

ItemsInFolder : 18

DeletedItemsInFolder : 0

FolderSize : 29.04 KB (29,734 bytes)

ItemsInFolderAndSubfolders : 18

DeletedItemsInFolderAndSubfolders : 0

FolderAndSubfolderSize : 29.04 KB (29,734 bytes)

OldestItemReceivedDate :

NewestItemReceivedDate :

OldestDeletedItemReceivedDate :

NewestDeletedItemReceivedDate :

OldestItemLastModifiedDate :

NewestItemLastModifiedDate :

OldestDeletedItemLastModifiedDate :

NewestDeletedItemLastModifiedDate :

ManagedFolder :

TopSubject :

TopSubjectSize : 0 B (0 bytes)

TopSubjectCount : 0

TopSubjectClass :

TopSubjectPath :

TopSubjectReceivedTime :

TopSubjectFrom :

TopClientInfoForSubject :

TopClientInfoCountForSubject : 0

SearchFolders : {}

Identity : mustermannm\Audits

IsValid : True

[PS] C:\Windows\system32>Search-MailboxAuditLog -Identity mustermannm

RunspaceId : b81f582f-9046-4bd3-9c93-6e08f32a3d74

MailboxGuid : 30c80df4-6b5e-45f7-b7b4-753c6151f327

MailboxResolvedOwnerName : Max Mustermann

LastAccessed : 11/7/2010 7:07:13 PM

Identity : TestDir.local/UserAccounts/Max Mustermann

IsValid : True

[PS] C:\Windows\system32>

[PS] C:\Windows\system32>New-MailboxAuditLogSearch " AccessToMailboxMustermann" -Mailboxes " MustermannM" -LogonTypes Admin,Delegate -StartDate 11/1/2010 -EndDate 11/8/2010 -StatusMailRecipients " administrator@TestDir.local"

RunspaceId : b81f582f-9046-4bd3-9c93-6e08f32a3d74

Mailboxes : {TestDir.local/UserAccounts/Max Mustermann}

LogonTypes : {Admin, Delegate}

ShowDetails : False

ExternalAccess :

Name : Search20101108{dc1b8ec2-d4c4-499e-8c58-e218a470787a}

StartDateUtc : 11/1/2010 12:00:00 AM

EndDateUtc : 11/8/2010 12:00:00 AM

StatusMailRecipients : {administrator@TestDir.local}

CreatedBy : TestDir.local/Users/Administrator

Identity : AuditLogSearch\d67e05df-15a3-43ef-8bc8-609b8c8aafe6

IsValid : True

[PS] C:\Windows\system32>

Content of SearchResult.xml

#

<?xml version=" 1.0" encoding=" utf-8" ?>

<SearchResults>
<Event MailboxGuid=" 30c80df4-6b5e-45f7-b7b4-753c6151f327" Owner=" Max Mustermann" LastAccessed=" 2010-11-07T19:07:13+01:00" />

</SearchResults>

#
 
J

J-H

Hi David

Thanks for your help!

I checked your answers in the other thread. &ldquo;Search-MailboxAuditLog <mailbox> -ShowDetails |FT&rdquo; was the necessary trip.

I am not sure if the documentation of Search-MailboxAuditLog clearly states that I have to use the parameter &ndash;ShowDetails to show the list of entries in the audit log. I assumed that the command always shows the entries in the audits folder and &ndash;ShowDetails would be necessary to see additional information.

If I include the parameter &ldquo;-ShowDetails&rdquo; with New-MailboxAuditLogSearch then I also get the information I was looking for.

My mistake was not to try &ndash;ShowDetails!

I have another question related to the information you provided about Admin logon in the other thread. You received the information from the subject matter expert that these logons are considered admin logons:

1. Using Discovery Search to search a mailbox

2. Using mailbox export request to export a mailbox

3. Admin uses MFCMapi to access users" mailbox

Set-Mailbox lists these options for the parameter &ndash;AuditAdmin

None, Update, Copy, Move, MoveToDeletedItems, SoftDelete , HardDelete , FolderBind , SendAs ,SendOnBehalf, MessageBind

How can I perform a SendAs or SendOnBehalf using these three options? I haven"t played with MFCMAPI, yet.

Which Exchange service is processing the New-MailboxAuditLogSearch in the background?

I assume it is the same service / process as it is used by New-AdminAuditLogSearch. This web page provides the note: &ldquo;After the New-AdminAuditLogSearch cmdlet is run, the report is delivered to the mailboxes you specify within 15 minutes&rdquo;.

I was using ExFolders to investigate the Recoverable Items folder. I recognized that I cannot use the Items view for the audit subfolder. I get the error message &ldquo;Exception getting folder contents: Non-system logon cannot access Audits folder.&rdquo; However, I have no problem to see the items in the Purges or Versions folder.

Do you know why this is the case?

Thanks for helping me to understand this topic.

Regards

J-H
 
G

Gavin-Zhang

Hi J-H,
Some information for you:
-> How can I perform a SendAs or SendOnBehalf using these three options?
A: Per my known, we could gave the mailbox send as/fullaccess permission for other one, and then the other one account could send as/sendonbehalf the mailbox to send email, the action would be logged in the audit log.
-> Which Exchange service is processing the New-MailboxAuditLogSearch in the background?
A: Per my known, Access Auditing is implemented in the Microsoft Exchange Store.exe process, which is the access point for mail in mailbox databases. Access Auditing represents a set of Event log events that are designed to give administrators information about mailbox resources that have been opened by users. These events are new. They do not modify existing events, which may be used for other purposes..
About your last question, the audit information also store in the user's mailbox, and could not be access and edit by the Exfolder.exe.
Regards!
Gavin
 
J

J-H

Thanks Gavin for your help.

#

-> How can I perform a SendAs or SendOnBehalf using these three options?

A: Per my known, we could gave the mailbox send as/fullaccess permission for other one, and then the other one account could send as/sendonbehalf the mailbox to send email, the action would be logged in the audit log.

#

I know how to configure SendAs or SendOnBehalf. The point that I did not understand was what I have to do to have an Administrative Logon and perform a SendAs or SendOnBehalf. David wrote in the other thread:

#

When you grant another user access to a mailbox, such as granting them FullAccess using Add-MailboxPermission, that logon type is 'Delegate', even if it's from a mailbox that has administrative permissions in the organization.

#

That the store process would write the audit information to the user"s mailbox makes sense. Is the store process also the process that is responsible for processing the New-MailboxAuditLogSearch request in the background (collecting the audit entries stored in the Audits folder of the mailboxes)?

Regards and thanks for help

J-H
 
G

Gavin-Zhang

Hi J-H,
About

-> When you grant another user access to a mailbox, such as granting them FullAccess using Add-MailboxPermission, that logon type is 'Delegate', even if it's from a mailbox that has administrative permissions in the organization.
I understand it as below:
if one account has fullaccess permission or send as permission or administrative permission for other mailbox, in the audit log the account's logon type would all be set as " delegate" .
About
-> That the store process would write the audit information to the user"s mailbox makes sense. Is the store process also the process that is responsible for processing the New-MailboxAuditLogSearch request in the background (collecting the audit entries stored in the Audits folder of the mailboxes)?
Per my known, the exchange powershell rely serveral service, the cmdlet function action process through a complex procedures.
That means, there are many function scripts in the exchange built in script, and the the basic windows powershell and then connect remoteexchange, and so on procedures.
If you want to learn more about it, some information for you:
http://technet.microsoft.com/en-us/library/dd795097.aspx
Regards!
Gavin
 
Status
Not open for further replies.
Similar threads
Thread starter Title Forum Replies Date
J Tool to analyze administrator and mailbox audit log entries Exchange Server Administration 1
P Shortcut Pane - add shortcut to Office365 group mailbox Using Outlook 1
R How to get the Items object of the default mailbox of a specific account in a multiple account Outlook? Outlook VBA and Custom Forms 0
R Assign Categories "Round Robin" style but in a shared mailbox but on specific emails only Outlook VBA and Custom Forms 8
C Your mailbox has been temporarily moved ... Using Outlook 2
P Auto assign shared mailbox Outlook VBA and Custom Forms 1
A VBA macro for 15 second loop in send and received just for 1 specific mailbox Outlook VBA and Custom Forms 1
R VBA for copying sent email to current folder under a shared mailbox Outlook VBA and Custom Forms 17
T How to Export mailbox from Outlook 2019 to MBOX format? Using Outlook 1
F Delete/create/reset Exchange mailbox on Outlook.com Using Outlook.com accounts in Outlook 3
A New email notification on shared mailbox Outlook VBA and Custom Forms 0
N Shared mailbox in cached mode Using Outlook 0
B Vba to monitor time to respond to emails using a shared mailbox Outlook VBA and Custom Forms 5
D Shared Mailbox question Exchange Server Administration 1
F How to show assigned tasks under certain mailbox? Using Outlook 4
S Import contacts to a shared mailbox Outlook VBA and Custom Forms 2
D Delete Emails from Senders in Shared Mailbox Outlook VBA and Custom Forms 1
O Office 365 - Outlook - Password protect your mailbox Using Outlook 7
C Changed By field not displaying individual user's name in O365 Shared Mailbox Using Outlook 9
D Move Emails between Folders in Separate Mailbox Outlook VBA and Custom Forms 12
M other user's mailbox won't open, forms disappeared Using Outlook 42
M Mailbox Size Outlook.com or Outlook 2011 Using Outlook 1
K Lost Rules. Assistant accesses my mailbox. Disappeared Using Outlook 0
S Recovering permanently deleted folder from shared mailbox Using Outlook 1
J Outlook - 2013 - Error msg when copying folders from Online Archives to another user's mailbox Using Outlook 0
Q VBA Script to move item in secondary mailbox Outlook VBA and Custom Forms 2
I Application_NewMailEx for shared mailbox Outlook VBA and Custom Forms 1
Diane Poremsky Monitor secondary mailbox folder for new messages New Slipstick.com Articles 0
Mark White vba to create a shared mailbox folder Outlook VBA and Custom Forms 3
D VBA macro printing attachments in shared mailbox Outlook VBA and Custom Forms 1
oliv- Treat once an email with the ItemAdd event in a shared mailbox Outlook VBA and Custom Forms 2
K VBA to measure response time for each emails in a shared mailbox Outlook VBA and Custom Forms 11
M Upgrade in Progress. Your mailbox is currently being optimized as part of upgrade to Outlook 2010 Using Outlook 9
S Shared Mailbox Alert Outlook VBA and Custom Forms 7
O VBA rule on multiple computers using shared mailbox Outlook VBA and Custom Forms 1
P Migrate Office 365 mailbox to a different on-premises domain Using Outlook 1
T Checking mailbox emails Outlook VBA and Custom Forms 0
F Room Mailbox Reply Exchange Server Administration 0
L Wishlist Archive mailbox - folder expansion Outlook Wishlist 2
D Shared Mailbox with mail item marked as "private" Using Outlook 0
Diane Poremsky Save Sent Items in Shared Mailbox using an Exchange Server Cmdlet New Slipstick.com Articles 0
Diane Poremsky Sending Email from a Secondary Exchange Mailbox New Slipstick.com Articles 0
J Automatically Move Old Items from a Shared Mailbox to a .PST on a Network Drive Outlook VBA and Custom Forms 1
P Viewing Meeting Organizer on room Mailbox Using Outlook 1
Van Fog Get items in search folder for shared mailbox Outlook VBA and Custom Forms 3
Diane Poremsky Sending Email from a Secondary Exchange Mailbox New Slipstick.com Articles 0
I shared mailbox - can i create a rule (vba) for every user? Outlook VBA and Custom Forms 1
J Outlook 2013 Want to file a note after filtering with search current mailbox Using Outlook 3
Diane Poremsky How to View Shared Subfolders in an Exchange Mailbox New Slipstick.com Articles 0
R Creating a Room Mailbox with Exchange Online Outlook VBA and Custom Forms 0

Similar threads

Top