How can I enable logging of user access to another user's mailbox?

A. If you've delegated permissions so that a user can open another user's mailbox and you want to audit this type of activity, you need to enable at least a minimum level of diagnostic logging. To do so, perform these steps:

  1. Start the Microsoft Management Console (MMC) Exchange System Management snap-in.
  2. Expand your administrative group until your Exchange server is displayed in the navigation tree (Administrative Groups - Servers).
  3. Right-click the Exchange server and select Properties.
  4. Select the "Diagnostics Logging" tab.
  5. Under Services select MSExchangeIS - Mailbox.
  6. In the Categories section select Logons and set logging level to Minimum, as the figure shows. Click OK.
  7. Click OK.
  8. Restart the Information Store service for the change to take effect. (This will cause a mail outage, so schedule this restart appropriately.)

Now when a user accesses another user's mailbox, an event ID 1016 is written to the Application event log that shows who accessed which mailbox, as the figure shows. In the FAQ " How can I trigger an action to be performed when certain Windows events occur?" (http://www.windowsitpro.com/Article/ArticleID/46008/46008.html ), I explained how to use Eventtriggers to trigger actions based on certain event logs. You could therefore use a trigger to activate an action based on event ID 1016 in the Application event log. For example, to start a script called mailboxaccess.vbs use this command:

C:\>eventtriggers /create /tr "Non-Owner Mailbox Access" /eid 1016 /l application /tk c:\scripts\mailboxaccess.vbs

The mailboxaccess.vbs script can contain any actions that you desire (e.g., send an email, page someone).

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish