locked
How to track which emails an admin has read of another user RRS feed

  • Question

  • We suspect that one of our IT staff has been reading emails of other users and need help to figure out how to prove this has actually happened.  I am not in IT, but since the issue is with our IT dept, I have been tasked with finding out how to track what is going on.

    We turned on logging for all users on our exchange server and are getting the messages described here: http://support.microsoft.com/kb/867640

    and also understand from that article that it is not possible to determine if the user is looking at a calendar or an email with the logs.  (Mailbox Resources does not show which folder is being logged on to. For example, Mailbox Resources does not indicate whether it is the Inbox, the Calendar, or the Contacts folder.)

    The suspicion arose after the person divulged knowledge of a private HR matter that was only discussed between his direct manager and the boss in an email.  Since beginning tracking we can see that he has accessed the mailbox of both his manager and one of the doctors/our top boss 5 different times.  However, we don't feel we can let this person go without proving that he is in fact looking at emails and not the calendars.

    I read this article on the forums: http://social.technet.microsoft.com/Forums/en/exchangesvrsecuremessaging/thread/e9548dc8-1316-47da-a7d4-32f264e38131  from 2007.  It suggests using IRM software that we cannot afford.  Since it has been 5 years since that discussion took place, I am wondering if there is another option that we could use to prove what we believe is happening.  And just as the other poster mentioned, we also have a policy in place regarding appropriate use of admin rights, but since it appears this policy is being violated, we need a way to prove that before we can enact the policy of letting someone go who violates the policy.

    Does anyone have any suggestions for me?  Is there some kind of log in tracking we can enable to see what he accesses?  Is there any way to verify that he is looking at email boxes and not the calendar?

    Thanks for your time and patience, clearly I'm a novice!

    Sunday, September 9, 2012 3:47 AM

Answers

  • You'll need to enable mailbox access auditing to get an item-level audit trail.

    http://technet.microsoft.com/en-us/library/ee221156(EXCHG.80).aspx

    If he's an Exchange admin, the trick may be to get that enabled without him knowing it. 


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    • Proposed as answer by Jamestechman Monday, September 10, 2012 12:15 AM
    • Marked as answer by Noya Lau Monday, September 24, 2012 6:50 AM
    Sunday, September 9, 2012 3:53 AM
  • For 2003 you have auditing for logons and access control and is not granular and user friendly as 2007\2010. Therefore you will get alot of noisy false positives. In addition I don't think 2003 can audit item level and only folder level. And even with folder level it's not user friendly as it mentions the mapi folder ID number and not the friendly display name.

    http://www.msexchange.org/tutorials/auditing-mailbox-access-exchange-system-manager-event-viewer.html 


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Proposed as answer by Noya Lau Thursday, September 13, 2012 8:34 AM
    • Marked as answer by Noya Lau Monday, September 24, 2012 6:50 AM
    Monday, September 10, 2012 2:10 PM

All replies

  • You'll need to enable mailbox access auditing to get an item-level audit trail.

    http://technet.microsoft.com/en-us/library/ee221156(EXCHG.80).aspx

    If he's an Exchange admin, the trick may be to get that enabled without him knowing it. 


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    • Proposed as answer by Jamestechman Monday, September 10, 2012 12:15 AM
    • Marked as answer by Noya Lau Monday, September 24, 2012 6:50 AM
    Sunday, September 9, 2012 3:53 AM
  • Thank you.  This is exactly what we need.  We are on Exchange Server 2003.  Does this only apply to 2007?  Is there something equivalent for 2003?

    Monday, September 10, 2012 7:12 AM
  • For 2003 you have auditing for logons and access control and is not granular and user friendly as 2007\2010. Therefore you will get alot of noisy false positives. In addition I don't think 2003 can audit item level and only folder level. And even with folder level it's not user friendly as it mentions the mapi folder ID number and not the friendly display name.

    http://www.msexchange.org/tutorials/auditing-mailbox-access-exchange-system-manager-event-viewer.html 


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Proposed as answer by Noya Lau Thursday, September 13, 2012 8:34 AM
    • Marked as answer by Noya Lau Monday, September 24, 2012 6:50 AM
    Monday, September 10, 2012 2:10 PM