Exchange mailboxes carry a lot of critical information that anyone can mail inside or outside the organization within a few mouse clicks. That is why they assume special significance from the point of view of compliance requirements. Microsoft has given special attention to this from Exchange 2010 SP1 version onwards. From this version onwards, administrators can audit non-owner accesses to mailboxes easily. After enable auditing, they can get the access details form mailbox access reports. It involves in two main steps in Exchange 2013:
• Enable mailbox audit logging (using Windows PowerShell cmdlets)
• Run non-owner mailbox access report (using EAC—Exchange Administration Center)
Step 1: Enable mailbox audit logging
Enable mailbox audit logging. You can enable it per mailbox. There are options for enable mailbox audit logging for all the mailboxes in the organization. The syntax for enabling audit for single mailbox and the cmdlets for enabling auditing for a mailbox named Little Johnny are :
Set-Mailbox <Identity> -AuditEnabled $true
Set-Mailbox “Little Johnny” -AuditEnabled $true
Step 2: Test whether mailbox auditing logging has been enabled
You can test whether mailbox auditing logging has been enabled. A ‘True’ value for AuditEnabled property indicates that mailbox audit logging is enabled. Use the syntax :
Get-Mailbox | FL Name,AuditEnabled
Step 3: Run a non-owner mailbox access report
Exchange 2013 has Exchange Administration Center (EAC) that permits web-based management of Exchange Server. This works with on-premises, online, and hybrid deployments of Exchange. You can run non-owner mailbox access report using EAC.
For this, go to Compliance Management⇨ Auditing; click Run a non-owner mailbox access report
Step 4: Search for non-owner access to mailboxes
Now you can search for non-owner access to mailboxes by date and logon type. Logon types are available for search are :
► Administrators – searches and finds accesses by the administrators of the organization
► Administrators and delegated users – searches and finds accesses by administrators and delegated users inside the organization
► External users – searches and finds accesses by all users outside the organization
► All non-owners – searches and finds accesses by all users including administrators, delegated users, and external users
Step 5: Explore information provided by search result
The search results provide you information like :
► Who accessed the mailbox
► When was the mailbox accessed
► What was done by the non-owner
► Which message was affected (folder location also)
► Whether succeeded in the action or not
Exchange 2013 offers quite advanced facilities for compliance management; mailbox audit logging is one among them. After enabling mailbox audit logging, administrators can run non-owner mailbox access report using the Exchange Administration Center (EAC). The steps are quite similar for Exchange Online.