none
Exchange 2010 Auditing (Full Access Permissions)

    Question

  • Testing the Admin and Mailbox Audit logging in Exchange 2010. When setting FullAccess Permissions on a Mailbox this action

    does not seem to be logged. I have reviewed the CMDlets and annot find any that cover FullAccess Permissions. Currently

    at Exchange 2010 SP1 Ru6. Does anyone know if you can audit FullAccess permissions usign Audit logging?

    Regards,

    John

    Monday, March 12, 2012 8:17 PM

Answers

  • Hi,

    The admin audit log configuration change you specified could take up to 60 minutes to take effect.

    From my lab, I configured adminudit via

    Set-adminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets *mailboxpermission -AdminAuditLogParameters *

    After that, I restart the Exchange Server and then run add-mailboxpermission -identity xxx user user1 -accessrights fullaccess

    Then run Search-AdminAuditLog -cmdlets add-mailboxpermission.

    So for your issue, you can search the log and send to certain user.


    Xiu Zhang

    TechNet Community Support

    Wednesday, March 14, 2012 8:30 AM

All replies

  • It is not being logged because there is no access occurring, just a permissions is being set. Once mailbox access occurs, then you will see the event in audit logs. See if this helps: http://technet.microsoft.com/en-us/library/ff459237.aspx#Enable 

    Valentin Komarovskiy Microsoft V-TSP MCITP: EA - VA - EMA - Lync - SA

    • Proposed as answer by Peddy1st Monday, March 12, 2012 9:20 PM
    Monday, March 12, 2012 8:25 PM
  • Valentin,

    I read that technet as well. I have been asked to report on Whenever an Admin sets FullAccess on a Mailbox, much like SendAS. I expected

    that once that permissions was set by the Admin it would end up in the Audit Log and then could generate a report. Do you know if that is possible?

    Regards,

    John

    Monday, March 12, 2012 8:35 PM
  • Hey, I think it is event ID 566. I would suggest that you test it beforehand, but what you can do is set up a task on the Exchange server (copy to each server) to send you an e-mail every time the event occurs. See what event ID is triggered when a full access permission is set, then create a task for that eventid to trigger an e-mail to be sent. 

    Valentin Komarovskiy Microsoft V-TSP MCITP: EA - VA - EMA - Lync - SA

    Monday, March 12, 2012 8:50 PM
  • That is unfortunate that FullAccess  cannot be audited using the new AdminAuditlog. Granting FullAccess on a mailbox one would think should be reported on. I know I can run a Powershell query and get the information on whom has FullAccess permissions. If I wish to delegate Audit Log Role  in RBAC though the user won't be able to use the new ECP tools for auditing. I gather becase SendAS triggers an Action that is why it is logged. When I move or enalbe a mailbox that is logged in the AdminAudit log but not FullAccess.

    Thanks.

    John

    Monday, March 12, 2012 8:58 PM
  • John,

    This works for me.

    From the EMC, logged in as admin, I select a mailbox and change the Full Access permissions, granting it to myself:

    Here is the equivalent cmdlet in the EMS:

    Add-MailboxPermission -Identity 'CN=Zena.James,OU=Temps,DC=mynet,DC=int' -User 'MYNET\admin' -AccessRights 'FullAccess'

    In the Event Viewer, I do indeed see this action as being logged:

    Cmdlet suceeded. Cmdlet Add-MailboxPermission, parameters {Identity=mynet.int/Temps/Zena.James, User=MYNET\admin, AccessRights={FullAccess}}.

    Here is an overall view:

    As you can see, this appears in the MS EXchange Management log.

    I think that these actions are now logged by default (???).

    Regardless, one way or another, you can log when an admin changes Full Access permissions. 


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Monday, March 12, 2012 9:43 PM
  • Using RBAC how can I get a Manager whom has been delegated Audit Log Viewing permissions that information? He/she will not have permissions to view the Exchange Server event logs.

    Why would FullAccess permissions being set on a mailbox not also be logged to the Auditlog. In all the searches I have done it is one of the CMDlets

    not available, but SendAS is for example.

    Regards,

    John

     

    Monday, March 12, 2012 11:21 PM
  • Hi,

    The admin audit log configuration change you specified could take up to 60 minutes to take effect.

    From my lab, I configured adminudit via

    Set-adminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets *mailboxpermission -AdminAuditLogParameters *

    After that, I restart the Exchange Server and then run add-mailboxpermission -identity xxx user user1 -accessrights fullaccess

    Then run Search-AdminAuditLog -cmdlets add-mailboxpermission.

    So for your issue, you can search the log and send to certain user.


    Xiu Zhang

    TechNet Community Support

    Wednesday, March 14, 2012 8:30 AM
  • Xiu Zhang,

    That seems to work. What is confiusing is that you have specify all AuditLogCmdlets I though the * wildcard covered them all.

    I am able to out put the Audit log using powershell and email a report. Do you know if in the ECP for a user whom has been

    delegated the View Audit Log is the same report avaialbe in the Web console or do they need to use Powershell only?

    Thanks again.

    John

    Wednesday, March 21, 2012 9:05 PM