User mailbox and shared mailbox auditing in Exchange 2013

For organizations who take data security seriously, control over information stored in mailboxes is a must. Starting with Exchange 2010, Microsoft accommodates this need by providing the “mailbox audit logging” functionality. The solution lets you track actions performed on user mailboxes and shared mailboxes by a user, as well as obtain information about his or her computer’s IP and name.

User mailbox and shared mailbox auditing in Exchange 2013

Default mailbox audit logging configuration

By default, logs are collected for every mailbox for which „mailbox audit logging” has been switched on via Exchange Management Shell (EMS). The log files are kept in individual mailboxes in the Recoverable Items folders and cannot be viewed via Outlook, OWA or any other client level access points. The default log file retention period is 90 days, but it can be easily changed using EMS. Enabling In-Place Hold or Litigation Hold for a mailbox does not affect the retention period setting.

NOTE: Most of the below information also applies to auditing in Office 365 (for more details go to: https://technet.microsoft.com/en-us/library/dn790283.aspx) and Exchange 2016.

Required permissions

To be able to manage mailbox audit logging you have to be a member of either one of these groups:

  • Organization Management
  • Records Management

Logging levels

Mailbox audit logging can track actions performed by 3 types of users: the mailbox owner, mailbox delegate and administrator. By default, when you enable auditing, only selected actions by the administrator and delegate are logged. This setting can be adjusted using the -AuditOwner, -AuditDelegate, -AuditAdmin parameters and specifying mailbox actions that should be logged.

Types of actions logged by the mailbox audit mechanism

Mailbox audit logging allows you to track the following actions performed on users’ or shared mailboxes by the administrator, delegate or owner (actions names in square brackets):

  • [Copy] Copying an item to another folder – available for administrator and delegate;
  • [Create] Creating an item in a folder (also when an email is sent or received) – available for administrator, delegate and owner;
  • [FolderBind] Accessing a folder – available for administrator and delegate;
  • [HardDelete] Deleting an item permanently – available for administrator, delegate and owner;
  • [MessageBind] Accessing or opening an item (also in the Reading pane) – available for administrator;
  • [Move] Moving an item to another folder – available for administrator, delegate and owner;
  • [MoveToDeletedItems] Moving an item to the Deleted items folder – available for administrator, delegate and owner;
  • [SendAs] Sending a message using Send as permissions – available for administrator and delegate;
  • [SendOnBehalf] Sending a message using Send on Behalf permissions – available for administrator and delegate;
  • [SoftDelete] Deleting an item from the Deleted items folder – available for administrator, delegate and owner;
  • [Update] Updating the properties of an item – available for administrator, delegate and owner;

(underlined users have a given action tracked by default upon enabling auditing)

As you can see the Mailbox audit mechanism offers a wide range of tracking options, which is more than enough to apply in a critical business scenario such as monitoring shared mailboxes.

Enabling Mailbox audit logging

By default the Mailbox audit logging mechanism is switched off for all mailboxes. To check the current audit status of a specific mailbox, run the following command in Exchange Management Shell:

Get-Mailbox [user name] | FL

PowerShell: Get-Mailbox [user name] | FL

In the output you will find all the audit information related to the mailbox.

PowerShell: Output of the Get-Mailbox [user name] | FL command

As you can see above, mailbox audit logging is disabled for this specific mailbox. We can enable it using the AuditEnabled parameter. Additionally we will adjust the log retention period and enable logging of 2 actions by the mailbox owner. Here is the full EMS command:

Set-Mailbox [user name] –AuditEnabled $True –AuditLogAgeLimit 60:00:00:00 –AuditOwner Move,HardDelete

PowerShell: Set-Mailbox [user name] –AuditEnabled $True –AuditLogAgeLimit 60:00:00:00 –AuditOwner Move,HardDelete

When we now view the mailbox’s properties, we will see the changes introduced by the above command:

PowerShell: Output of Set-Mailbox [user name] –AuditEnabled $True –AuditLogAgeLimit 60:00:00:00 –AuditOwner Move,HardDelete

From this moment on, as intended, log files will contain information on all actions listed in the above PowerShell output (included item moves and hard deletions performed by the mailbox owner) and will be retained for 60 days.

Important! The log files generated by the Mailbox audit mechanism may cause users’ mailboxes to grow very fast and take up a large portion of disk space. The log files are stored in the “Audits” folder in Recoverable Items and are not accessible to the user.

To enable Mailbox audit logging for multiple users, e.g. from a selected OU, execute the following PowerShell command:

Get-Mailbox | Where-Object {$_.OrganizationalUnit –eq ‘[domain]/[OU name]’} | Set-Mailbox –AuditEnabled $True

PowerShell: Get-Mailbox | Where-Object {$_.OrganizationalUnit –eq ‘[domain]/[OU name]’} | Set-Mailbox –AuditEnabled $True

Searching logs using Exchange Managment Shell

To view log entries related to a specific action, performed by a user of a selected type (owner, delegate or administrator) in a given timespan, run the following PowerShell command:

Search-MailboxAuditLog –Identity [user or shared mailbox name] –LogonTypes Owner –ShowDetails –StartDate [start date: d/m/y] –EndDate [end date: d/m/y] | Where-Object {$_.Operation -eq “[action name]”}

Searching logs using Exchange Control Panel

To search Mailbox audit logs via ECP, in the ECP console go to compliance management, auditing. Keep in mind that the ECP allows you to only get information about actions performed by non-owner users.

To obtain a report on actions performed on one or more mailboxes, click Run a non-owner mailbox access report… :

Exchange admin center: Run a non-owner mailbox access report…

In the resulting window select a search start and end date, specify the mailboxes you want to search and the scope of users whose actions will be reported on, and click search:

Exchange admin center: Searching audit logs

Searching logs generated for multiple mailboxes

Starting from Exchange 2013 you can search audit logs simultaneously in multiple mailboxes and send the search results to one or more selected email addresses.

To achieve this use the below PowerShell script:

New-MailboxAuditLogSearch "[search name]" -Mailboxes "[user and/or shared mailbox name(s)]" -LogonTypes [Admin/Delegate/External/Owner] -StartDate [search start date] -EndDate [search end date] -StatusMailRecipients [email address(es)]

Example:

New-MailboxAuditLogSearch "Delegate users" -Mailboxes "Sales,Marketing" -LogonTypes Delegate -StartDate 06/19/2015 -EndDate 06/19/2015 -StatusMailRecipients auditor@example.com

Checking the amount of disk space taken up by log files

To find out how much disk space is taken up by log files for a mailbox with the mailbox audit logging mechanism switched on, run the below PowerShell script:

Get-Mailbox –Identity [mailbox name] | Get-MailboxFolderStatistics -FolderScope RecoverableItems | fl name,foldersize

Known mailbox audit logging issue

Exchange 2013 administrators may encounter a problem where executing the Search-MailboxAuditLog command doesn’t produce any output in the EMS console. The error can be confusing, because the console does not notify the administrator that he or she used incorrect syntax. The only visible result is the data volume increase in the „Audits” folder, as shown in the image below:

Paweshell: output of Get-Mailbox –Identity [mailbox name] | Get-MailboxFolderStatistics -FolderScope RecoverableItems | fl name,foldersize

The problem is caused by the time format settings on Exchange servers. More on the subject and solution: http://blogs.technet.com/b/criscrif/archive/2015/02/26/no-results-using-the-search-mailboxauditlog-cmdlet-with-exchange-2013-cu4.aspx

Summary

The mailbox audit logging mechanism equips the administrator with the ability to track the actions that are performed on a mailbox. It is especially useful when it comes to shared mailboxes accessed by multiple users, and any other mailboxes containing sensitive information. The mechanism allows you to determine who performed what type actions on these mailboxes, which can prove critical when there is a need to establish responsibility for caused damage.

Suggested reading

Office 365 shared mailbox vs. public folders – what’s the difference?

CodeTwo backup and recovery software for Exchange and Office 365 mailboxes

Synchronize public and shared Exchange mailboxes with smart phones

User mailbox and shared mailbox auditing in Exchange 2013 by

3 thoughts on “User mailbox and shared mailbox auditing in Exchange 2013


Leave a Reply

Your email address will not be published.

*

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>