none
Exchange 2007 audit of add-MailboxPermission

    Question

  • Hi

    We need to audit permission changes on users mailboxes so er can prove that no one took acces to an other users mailbox without permission

    example of command that we want to catch:

    Add-MailboxPermission -Identity 'CN=User,OU=IT Users,OU=Admin Users,OU=GPO Managed Users,DC=contoso,DC=com' -User 'domain\otheruser' -AccessRights 'FullAccess'

    We cant find anyplace to ctach this as it stands right now.
    Wednesday, March 25, 2009 3:38 PM

Answers

  • An exchange mailbox is only an attribute (Msexchmailboxsecuritydescriptor) of an AD user object. The best we can do to audit mailbox permission is by auditing that attribute on users. However, the information will be limited, it’ll just tell who has made the change, but it would not show us what kind of changes

    How to turn on auditing for the Msexchmailboxsecuritydescriptor:

    a.       Open Default domain controller policy

    b.      Expand “Computer Configuration”>”Windows Settings”>”Security Settings”>”Local Policies”>Audit policy

    c.       On the right-pane, enable “Audit Directory service access” and “Audit object access”

    d.      Open AD users and computers console

    e.      Right-click the OU where you have all users>Select “Properties”>In the “Security” tab, click “Advanced” button

    f.        In the “Auditing” tab, Click “Add” button, select “Everyone”

    g.       In the “Properties” tab, in the “Apply onto” pull-down menu, select “User Objects” (For Windows Server 2003)|“ Descendant User Objects” (For Windows Server 2008), checkbox “Successful” and “Failed” for “Write msExchMailboxSecurityDescriptor”

    We should see events (565 or 566 for Windows Server 2003|4662 for Windows Server 2008) coming up on the DC (Security log) where the Exchange server is connected when the change was made. These events can give you a suspected “permission change”

    A sample of event 566:

    =========

    Event ID 566

    Category: Directory Service Access

    User: Domain\administrator (The one who made the change)

    Object Name: CN=Jamesluo, OU=Accounts, DC=domain, DC=com (The one has been changed)

    Properties: Write Property, Public Information, msExchMaiboxSecurityDescriptor

    =========

    Notes: The events may be logged in circumstances where no security breach has occurred. For example, this event may be logged when a service or an add-in has to use an account that has access to all mailboxes. Examples of accounts that have access to all mailboxes are service accounts or administrator accounts. Examples of services or add-ins that have to use these kinds of accounts include antivirus software, backup agents, or Microsoft Exchange Mailbox Manager

    Notes: If the method still can’t met your demand, you may seek for some monitor software as Amit suggested

    • Proposed as answer by Amit Tank Friday, March 27, 2009 5:43 AM
    • Marked as answer by Amit Tank Tuesday, March 31, 2009 8:05 AM
    Friday, March 27, 2009 4:17 AM
  • Well, in this case you need some real-time auditing software for Exchange server. Check out below couple of third-party product which does the job what you want.
    Amit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
    • Proposed as answer by Amit Tank Friday, March 27, 2009 5:43 AM
    • Marked as answer by Amit Tank Tuesday, March 31, 2009 8:05 AM
    Thursday, March 26, 2009 12:04 PM

All replies

  • Hey Jacob,

    You can refer below article to catch all mailboxes which have some FullAccess permission assigned.
    HOW TO: List mailboxes with Full Mailbox Access permission assigned

    Similarly, you can check below article to find mailboxes with Send As permission assigned....
    How To: Find All Mailboxes with Send-As Permission Assigned

    Amit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
    • Proposed as answer by Amit Tank Wednesday, March 25, 2009 4:04 PM
    • Unproposed as answer by Amit Tank Friday, March 27, 2009 5:43 AM
    Wednesday, March 25, 2009 4:03 PM
  • Supplement:

    Event 1016 in the event log can help you to see both valid and invalid mailbox access (KB 812007; KB 867640)

    Thursday, March 26, 2009 3:42 AM
  • To amit:
    We have found those only problem are that to our auditors we heve to tell that if this have been there. Ie we need the event of this happening, not just run a report on the users.
    The senario we are after is some on takes the permission logs on read some thing then removes the permission again, this would not be found.

    to james:
    Kind of the same, if we audit mailbox access and the the taking owership not the everyday using of this privilages, sicne we ahve alot of mailboxes and a lof of users with permissions to work on befalf of one an otehr we would end up with a big process of looking true the logs everyday.
    Thursday, March 26, 2009 10:48 AM
  • Well, in this case you need some real-time auditing software for Exchange server. Check out below couple of third-party product which does the job what you want.
    Amit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
    • Proposed as answer by Amit Tank Friday, March 27, 2009 5:43 AM
    • Marked as answer by Amit Tank Tuesday, March 31, 2009 8:05 AM
    Thursday, March 26, 2009 12:04 PM
  • An exchange mailbox is only an attribute (Msexchmailboxsecuritydescriptor) of an AD user object. The best we can do to audit mailbox permission is by auditing that attribute on users. However, the information will be limited, it’ll just tell who has made the change, but it would not show us what kind of changes

    How to turn on auditing for the Msexchmailboxsecuritydescriptor:

    a.       Open Default domain controller policy

    b.      Expand “Computer Configuration”>”Windows Settings”>”Security Settings”>”Local Policies”>Audit policy

    c.       On the right-pane, enable “Audit Directory service access” and “Audit object access”

    d.      Open AD users and computers console

    e.      Right-click the OU where you have all users>Select “Properties”>In the “Security” tab, click “Advanced” button

    f.        In the “Auditing” tab, Click “Add” button, select “Everyone”

    g.       In the “Properties” tab, in the “Apply onto” pull-down menu, select “User Objects” (For Windows Server 2003)|“ Descendant User Objects” (For Windows Server 2008), checkbox “Successful” and “Failed” for “Write msExchMailboxSecurityDescriptor”

    We should see events (565 or 566 for Windows Server 2003|4662 for Windows Server 2008) coming up on the DC (Security log) where the Exchange server is connected when the change was made. These events can give you a suspected “permission change”

    A sample of event 566:

    =========

    Event ID 566

    Category: Directory Service Access

    User: Domain\administrator (The one who made the change)

    Object Name: CN=Jamesluo, OU=Accounts, DC=domain, DC=com (The one has been changed)

    Properties: Write Property, Public Information, msExchMaiboxSecurityDescriptor

    =========

    Notes: The events may be logged in circumstances where no security breach has occurred. For example, this event may be logged when a service or an add-in has to use an account that has access to all mailboxes. Examples of accounts that have access to all mailboxes are service accounts or administrator accounts. Examples of services or add-ins that have to use these kinds of accounts include antivirus software, backup agents, or Microsoft Exchange Mailbox Manager

    Notes: If the method still can’t met your demand, you may seek for some monitor software as Amit suggested

    • Proposed as answer by Amit Tank Friday, March 27, 2009 5:43 AM
    • Marked as answer by Amit Tank Tuesday, March 31, 2009 8:05 AM
    Friday, March 27, 2009 4:17 AM
  • Great James,

    Another pont I noticed, The user field "User: Domain\administrator (The one who made the change)" is a computer object "USer: Domain\MailboxServer$" But I need to know the person who changed the permissions

    Wednesday, February 08, 2012 10:27 AM