Understanding the details of user mailbox access is very important to knowing what is going on within an Exchange environment. Being able to proactively audit mailbox access has become critical to the technology world we live in today due to the constant threat of security vulnerabilities. Environmental threats can come from inside or outside of our organizations.
So, what kind of information can you obtain if you are auditing user mailboxes?
When auditing is enabled, Exchange Administrators will know when a mailbox owner, delegate or administrator mailbox login has occurred, and what actions were taken while the user was logged in. This includes:
Whether a mailbox folder was accessed
If a message was permanently deleted or just sent to the deleted items folder
If an email was sent based upon the Send As permission
If an email was sent using Send On Behalf permission
Whether an email was moved to another folder
If the message properties were updated
And more
The audit logs will be available for 90 days unless the default setting is changed to something more appropriate for your organization.
In order to begin auditing mailboxes, Microsoft has provided us the ability to enable this functionality on a user by user basis. This can be done simply by opening the Exchange Management Shell and running the following command.
Set-Mailbox -identity FillInUserAlias -AuditEnabled $True
Automating for the Users in your Organization
Depending on the size of your organization it may not be realistic to set this up manually for each person in your organization, especially if you want to enable auditing for everyone employed there. Below you will find the PowerShell syntax required to accomplish this. This script can be run as a scheduled task to enable auditing for your organization’s mailboxes and then can be run routinely through a scheduled task to ensure that any new users in your environment also have auditing enabled. Please note that the script and scheduled task detail below assumes that mailbox auditing for newly added users will occur every evening.
To get started, copy the following data into notepad and save as ExchangeAudit.ps1, also make sure the .ps1 file is saved to C:\Tasks on your Exchange server. Based upon this location and the additional locations noted in the script, you need to create a similar folder structure for this script to work.
$auditreport = Get-Mailbox -resultsize unlimited | where {$_.AuditEnabled -eq $false} | select Alias | export-csv "C:\Tasks\ExchangeAuditReport\AddedAuditing_$((Get-Date).ToString('MM-dd-yyyy_hh-mm-ss')).csv"
$auditfile = Get-Mailbox -resultsize unlimited | where {$_.AuditEnabled -eq $false} | select Alias | export-csv -Path "C:\Tasks\ExchangeAudit\mailboxes.csv" -NoTypeInformation
$data = get-content "C:\Tasks\ExchangeAudit\mailboxes.csv" | % {$_ -replace '"', ""} | select -Skip 1
if($data -eq $null)
{
$ErrorActionPreference = "Stop"
}
else
{
foreach ($a in $data)
{
Set-Mailbox -identity $a -AuditEnabled $True
}
}
The script variables explained:
$auditreport will create a date stamped csv file that can be historically referenced to see who auditing was enabled and what date this was completed.
$auditfile is a separate file that will be overwritten each time the script runs. This file will have a list of all the users that the script will run against.
$data will get the relevant content from the csv file and enable auditing for the users in the list
$ErrorActionPreference will end the script if there are not any users in the file
Now that we have our PowerShell script we will want to create a Windows Server 2008 scheduled task to run the script on the interval you choose. For this example, it will be setup to run nightly.
Create a scheduled Task to execute the newly created exchangeaudit.ps1
Upon completion of this series of steps this script will run on the scheduled interval of your choice and enable auditing for all users in your organization. Then, as it runs nightly, it will continue to enable auditing for newly created accounts in your organization on a daily basis. This will include a data stamped report that will provide the user Alias for the users that had their auditing enabled for that day.
HAPPY AUTOMATING!
If you find yourself building Exchange reports manually, you may want to learn more about Mailscape's Exchange reporting ability with over 200 commonly requested built-in reports.