locked
Auditing Folder Permissions Changes RRS feed

  • Question

  • Is there any way to audit/log changes users make to their own mailboxes folders. I have exchange auditing configured as such:

    AuditEnabled     : True
    AuditLogAgeLimit : 90.00:00:00
    AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, Create}
    AuditDelegate    : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
    AuditOwner       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, Create}

    And while I can see FolderBinds delegates make, I can not see folder creations/deletions/changes.

    I'm being asked to track who is granting and removing permissions to certain users folders and have found no way to do this.

    Is there a certain logging level I can turn on for the information store that would provide this information in the windows event log? I can find no detailed documentation on the different information provided by different logging level settings.

    Any help is much appreciated!

    Thank you!

    Friday, July 22, 2016 2:48 PM

Answers

  • I know of no way of doing this in the standard product.  I suppose you could write a script to collect all those settings, store them in a database, and then report when changes are made.  You didn't ask, but it sure sounds like you work for a control freak.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, July 25, 2016 5:53 AM
  • Hi,

    FolderBind (A mailbox folder is accessed). It will not log the permission change on mailbox folder or folder creations/deletions/changes.

    Per my experience, I agree with Ed. We can monitor critical changes made to mailboxes’ permissions like Full Access, Read or Write with details of the user who changed the permission. we can generate custom event log entries which track permission changes on the mailboxes. But I cannot find a way to audit permissions changes to certain users’ folders so far. 

    For more detailed information about how to monitor the permissions changes to mailbox , please refer to the following thread:

    https://social.technet.microsoft.com/Forums/en-US/c7537642-fdf4-451b-b1ad-09e9ffc2d130/exchange-2007-audit-of-addmailboxpermission?forum=exchangesvrsecuremessaginglegacy

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, July 25, 2016 8:03 AM
    Moderator

All replies

  • I know of no way of doing this in the standard product.  I suppose you could write a script to collect all those settings, store them in a database, and then report when changes are made.  You didn't ask, but it sure sounds like you work for a control freak.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, July 25, 2016 5:53 AM
  • To your concern, you can checkout this informative article which provides step-wise instructions to detect who changed permission on files and folders - http://community.spiceworks.com/how_to/125516-how-to-detect-who-changed-permission-on-file-servers

    Organizations who want increase their visibility as to what's happening in their IT environments but are perhaps limited on time, resources or budget. Lepide 2020 audit & change control suite provides instant access to see who, what, where and when changes are being made to Active Directory, Group Policy, SQL Servers, SharePoint, File Servers, Exchange Servers and more.

    Monday, July 25, 2016 6:40 AM
  • That doesn't apply to mailbox folders, Andres pamova.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, July 25, 2016 7:31 AM
  • Hi,

    FolderBind (A mailbox folder is accessed). It will not log the permission change on mailbox folder or folder creations/deletions/changes.

    Per my experience, I agree with Ed. We can monitor critical changes made to mailboxes’ permissions like Full Access, Read or Write with details of the user who changed the permission. we can generate custom event log entries which track permission changes on the mailboxes. But I cannot find a way to audit permissions changes to certain users’ folders so far. 

    For more detailed information about how to monitor the permissions changes to mailbox , please refer to the following thread:

    https://social.technet.microsoft.com/Forums/en-US/c7537642-fdf4-451b-b1ad-09e9ffc2d130/exchange-2007-audit-of-addmailboxpermission?forum=exchangesvrsecuremessaginglegacy

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, July 25, 2016 8:03 AM
    Moderator
  • Thank you all for your responses - These are the same conclusions I had come to after researching on and off for a few months.

    And yes I do, unfortunately ;)

    Wednesday, August 3, 2016 2:52 PM