locked
Audit Mailbox acces Exchange 2010 RRS feed

  • Question

  • Hi,

    I've enabled mailbox auditing on my mailbox (for test purposes) in an exchange 2010 environment. And i want to be able to see when another account simply opens my mailbox (like in outlook => file => open => folder of other user => inbox of the user. The problem is when i test this with another account opening my mailbox i see nothing in the log entry (when checking it via the ECP). But if i like delete a mail or something i do see a log entry.

    However if i look here: http://technet.microsoft.com/en-us/library/ff459237.aspx

    It says Folderbind enabled by default when enabling auditing on a mailbox. So i should be able to see it when i access a mailbox.

    But i see nothing in the ECP when i simply access the mailbox.

    Is my assumption correct or should i do something else to enable the access logging? or to view it?


    Don't forget about Alt+Esc!
    Friday, January 13, 2012 10:56 AM

Answers

  • I haven't tried it yet using a delegate, but i want it to work when an admin account opens a mailbox. ARGh

    Hi Weslee,

    As I know, if an admin open another mailbox, the mailbox should be considered to be accessed by delegate.

    And Technet also said: Using mailbox audit logging, you can log mailbox access by mailbox owners, delegates (including administrators with full mailbox access permissions), and administrators.

    Mailboxes are considered to be accessed by an administrator only in the following scenarios:

           Discovery search is used to search a mailbox.

           The New-MailboxExportRequest cmdlet is used to export a mailbox.

           Microsoft Exchange Server MAPI Editor is used to access the mailbox.

    Understanding Mailbox Audit Logging

    Frank Wang

    TechNet Community Support


    • Edited by emma.yoyo Tuesday, January 17, 2012 1:51 AM
    • Marked as answer by Weslee db Tuesday, January 17, 2012 7:10 AM
    Tuesday, January 17, 2012 1:51 AM

All replies

  • have you looked at this article

    http://www.howexchangeworks.com/2009/09/mailbox-access-auditing-in-exchange.html


    Regards Herbert Zimbizi
    Friday, January 13, 2012 12:10 PM
  • Thx for the replies.

    Herbert, your link is for exchange 2007.

    Girish, your first link i had already seen but no help there :s

    Your second link is just a copy of Technet. Where i found that it should log the acces, but i can't see in ECP any entries for mailbox access.


    Don't forget about Alt+Esc!
    Friday, January 13, 2012 4:02 PM
  • The problem is when i test this with another account opening my mailbox

    Hi Weslee,

    How did you delegate permission to another account? I guess you want to log mailbox access by delegates.

    I test it in my lab(Exchange 2010 SP2):

    If you run the cmdlet Get-Mailbox yourmailbox | fl "audit", the property AuditDelegate doesn't contain FolderBind.

    Please run the cmdlet Set-Mailbox yourmailbox -AuditDelegate @{add = "FolderBind"} to add the value.

    Modifying Multivalued Properties

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Frank Wang

    TechNet Community Support

    Monday, January 16, 2012 8:04 AM
  • Well you see the thing is I accessed the mailbox using the administrator account. That account always get's the FolderBind logged (when i try your command on AuditAdmin it also says so.) But when i try & view it in ecp i see nothing. Only when i delete a mail it get's registred.  I haven't tried it yet using a delegate, but i want it to work when an admin account opens a mailbox. ARGh ;)
    Don't forget about Alt+Esc!
    Monday, January 16, 2012 1:33 PM
  • I haven't tried it yet using a delegate, but i want it to work when an admin account opens a mailbox. ARGh

    Hi Weslee,

    As I know, if an admin open another mailbox, the mailbox should be considered to be accessed by delegate.

    And Technet also said: Using mailbox audit logging, you can log mailbox access by mailbox owners, delegates (including administrators with full mailbox access permissions), and administrators.

    Mailboxes are considered to be accessed by an administrator only in the following scenarios:

           Discovery search is used to search a mailbox.

           The New-MailboxExportRequest cmdlet is used to export a mailbox.

           Microsoft Exchange Server MAPI Editor is used to access the mailbox.

    Understanding Mailbox Audit Logging

    Frank Wang

    TechNet Community Support


    • Edited by emma.yoyo Tuesday, January 17, 2012 1:51 AM
    • Marked as answer by Weslee db Tuesday, January 17, 2012 7:10 AM
    Tuesday, January 17, 2012 1:51 AM
  • Hi Frank,

    It seems you are correct, now that i've enabled folderbind for delegates it shows that an administrator opened the mailbox.

    It is still very confusing since admin folderbind is enabled by default but aparently doesn't do what i would expect it to do (could be me :))

    Anyway thx a lot, i'm very happy this is resolved ;)


    Don't forget about Alt+Esc!
    Tuesday, January 17, 2012 7:10 AM
  • As a follow up, it seems that it takes a long time before you see any access activity in the log's (using ecp).

    Deleting mails etc... i saw immediately in the log's but yesterdayi accessed the mailbox & saw again nothing in the log's. I waited until this morning to check again & then i saw the access entries in the log's.

    Hope this info helps anybody else with this "problem" :)


    Don't forget about Alt+Esc!
    Wednesday, January 18, 2012 7:08 AM
  • Deleting mails etc... i saw immediately in the log's but yesterdayi accessed the mailbox & saw again nothing in the log's. I waited until this morning to check again & then i saw the access entries in the log's.

    Hi Weslee,

    I think this is the cause:

    FolderBind   Yes**

    ** Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of three hours.


    Frank Wang

    TechNet Community Support

    Thursday, January 19, 2012 1:51 AM
  • Yes i've read that too. But i did enter the mailbox @ 9:52 with another account & i didn't see any entry during the rest of the day (last time i check was around 18h).

    Oh well doesn't matter, it works now & that's the most important bit.


    Don't forget about Alt+Esc!
    Thursday, January 19, 2012 2:36 PM