A. If you've delegated permissions so that a user can open another user's mailbox and you want to audit this type of activity, you need to enable at least a minimum level of diagnostic logging. To do so, perform these steps:
- Start the Microsoft Management Console (MMC) Exchange System Management snap-in.
- Expand your administrative group until your Exchange server is displayed in the navigation tree (Administrative Groups - Servers).
- Right-click the Exchange server and select Properties.
- Select the "Diagnostics Logging" tab.
- Under Services select MSExchangeIS - Mailbox.
- In the Categories section select Logons and set logging level to Minimum, as the figure shows. Click OK.
- Click OK.
- Restart the Information Store service for the change to take effect. (This will cause a mail outage, so schedule this restart appropriately.)
Now when a user accesses another user's mailbox, an event ID 1016 is written to the Application event log that shows who accessed which mailbox, as the figure shows. In the FAQ " How can I trigger an action to be performed when certain Windows events occur?" (http://www.windowsitpro.com/Article/ArticleID/46008/46008.html ), I explained how to use Eventtriggers to trigger actions based on certain event logs. You could therefore use a trigger to activate an action based on event ID 1016 in the Application event log. For example, to start a script called mailboxaccess.vbs use this command:
C:\>eventtriggers /create /tr "Non-Owner Mailbox Access" /eid 1016 /l application /tk c:\scripts\mailboxaccess.vbs
The mailboxaccess.vbs script can contain any actions that you desire (e.g., send an email, page someone).
