How to Track Permission Changes on Exchange Server Mailboxes

Audit Permission changes with Lepide Exchange Auditor
x
Or Deploy With Our Virtual Appliance
3 min read | Updated On - March 08, 2024
In This Article

IT compliance and security necessities require you to track Exchange Server mailbox permission changes. Anyone with full access permissions to another user’s mailbox has unrestricted access mailbox data which they can potentially compromise. If a “C” level executive’s account has been compromised, a data leakage incident can be devastating to the reputation and bottom line of the business. In this article, you will learn how to track Exchange Server mailbox permission changes (first with native auditing methods, and then with Lepide Exchange Server Auditor).

Steps to Track Exchange Server Mailbox Permission Changes Natively

Please follow below steps:

Step 1: Enable Administrator Audit Logging

Open the Exchange Management Shell. Check if “Administrator Audit Logging” is enabled by running the following command:

Get-AdminAuditLogConfig | FL AdminAuditLogEnabled
Check whether Administrator audit logging is enabled
Figure 1 Check whether Administrator audit logging is enabled

As shown in the above image, in our lab, it is already enabled.

If Administrator Audit Logging is not enabled, the AdminAuditLogEnabled attribute’s value will be “False”, in that case, you can use the following command to enable it:

Set-AdminAuditLogConfig – AdminAuditLogEnabled $true

Step 2: View Mailbox Permission Change Events

After Administrator audit logging has been enabled, all Exchange mailbox permissions change events will be logged. To view them, follow the below steps:

  1. Go to “Control Panel” ➔ “Administrative Tools” ➔ “Event Viewer”. You can also type “eventvwr” in “Run” box or at “Command Prompt” and press “Enter” key to access this window.
  2. Navigate to the “Applications and Services Logs” ➔ “MSExchange Management”.
  3. Search for the logs with cmdlet “Add-MailboxPermission”/”Remove-MailboxPermission”.

In the result, you can find all the logs with this cmdlet. To get more information about the event, double-click on it.

For example, the following “Event Properties” image taken in our lab shows a permission addition event. The cmdlet shows that “Administrator” has been given full access right over the “TestUser1’s” mailbox. To find out when the permission was granted, check the “Logged” field. To get other details, click on the “Details” tab.

mailbox permission change log in Event Viewer
Figure 2: Viewing “mailbox permission change log” in Event Viewer

Using Lepide Exchange Server Auditor to Track Permission Changes

Now, we will show you how to track the same changes using Lepide Exchange Server Auditor – hopefully demonstrating how much easier and more powerful this method is than native auditing.

As shown in the following image, the same change has been captured by Lepide’s Exchange Server auditing solution. All the relevant information (including who granted the permission, to whom it was granted, when and over which mailbox) is available in a single line record:

Mailbox permission change report
Figure 3: Mailbox permission change report

Conclusion

Lepide Exchange Server Auditor gives complete visibility into your Exchange Server mailbox permission changes. The predefined audit reports provide complete audit information that enables you to take quicker, more intelligence driven action to keep your critical servers secure from privilege abuse.

Try Lepide Exchange Auditing solution for free
x
Or Deploy With Our Virtual Appliance
Learn More...

Audit Permission changes with Lepide Exchange Auditor

x
Or Deploy With Our Virtual Appliance
Learn More...