Exchange 2013 Mailbox Auditing Part I

Exchange 2013 Mailbox Auditing Part I

Since the release of MS Exchange Server 2013 I wanted to replicate the tests I described on the mailbox auditing in Exchange 2010 SP1 in my series of articles. Now I want to present you  the new version of the Mailbox Auditing Component I composed for your Exchange Server 2013.   We are going to walk through the very same steps as in the content on the Exchange Server 2010 SP1 and see if    there’s no gap between the outcomes I have got in Exchange Server 2010 SP1 and Exchange Server 2013:  the complete version of this Exchange 2010 Sp1 Mailbox Auditing Component I can find here:

1) In Exchange Management Console we provide User1 Total Access consent to User2’s mailbox:

2) …then turn on mailbox access audit for User2’s mailbox:
Set-Mailbox -Identity User2 -AuditEnabled $authentic
3) …and assess whether mail entry auditing is switched on:
Get-Mailbox User2 |FL *audit*
4) Pay close attention to what actions are audited by default since we’re likely to utilize the delegate access Update, SoftDelete, HardDelete, SendAs and Produce actions will likely be audited by default mailbox access is enabled for a specific mailbox. So to be able to audit the access to User2’s mailbox we must add FolderBind action to the record of already audited actions
Set-Mailbox -Identity User2 -AuditDelegate Update,SoftDelete,HardDelete,SendAs,Produce,FolderBind -AuditEnabled $authentic
and confirm they have been applied correctly:
Get-Mailbox User2 |FL *audit*
5) Now let’s begin Outlook and log on to User1’s mailbox. Outlook will open the extra User2’s mailbox for User1 automatically:
Attention! Since you can see this screen shot displays the Administrator’s profile together with the User1’s   additional mailbox (wich in turn includes a Full Control permission on User2’s mailbox)    I was not able to create a separate profile for your User1. You may read about it here:
For our test we could assume we’re employing a User1 profile   since we’ll audit only User1 access into this User2’s mailbox.
5) Now let’s check if any log documents was generated when Outlook was launched:
Search-MailboxAuditLog -Identity User2 -LogonTypes Delegate -StartDate 7/1/2013 -EndDate 7/6/2013 -ResultSize 2000

Yes here we could see a description of the fact that User2’s mailbox was accessed by somebody. As our goal is to get all availabale information about Delegate accessibility to User2’s mailbox we ought to add -ShowDetails into the previuos command:

6)Search-MailboxAuditLog -Identity User2 -LogonTypes Delegate -StartDate 7/1/2013 -EndDate 7/6/2013 -ResultSize 2000-ShowDetails

Let’s see how we could get this information in the ECP:

Log into ECP under consideration that is a member of Exchange Organization Management category or Records Management category (for instance, Administrator accounts) and click on “Run a non-owner mailbox access report”
Please also look closely at the amount of “Open folder” surgeries per single audit event:  EACH mailbox folder was accessed through the logon into the mailbox. Furthermore, through the test I conducted Outlook many occasions but ther’s only 1 audit event: that is due to the consolidation of actions done by delegates as explained:
“** Entries for folder rotational activities performed by delegates are consolidated. 1 log entry is generated for individual folder access in a time span of three hours.”


within this report we researched MS Exchange Server 2013 audit capabilities in regard to the delegate access: both the Exchange PowerShell cmdlet (unlike in my prior test with Exchange Server 2010 SP1) and the ECP screen the right outcomes.