Exchange Auditing can be enabled to collect important information related to logons, logoffs, permissions and many more. You can enable Exchange Auditing by configuring the Domain Controllers and the Exchange Server.
Configuring Exchange Servers
Use Exchange System Manager to configure Exchange Server 2003
Use Exchange Management Shell to configure Exchange Servers
Use Exchange Management Console to configure Exchange Servers
Configuring Domain Controllers
Configuring Exchange Servers
To configure,
Click on "Server Configuration" in the left pane.
Under Exchange Server tab, configure Diagnostic logging to gain access to Mailbox Logon Reports. Enabling Diagnostic logging will determine the additional Exchange events that will be written to the Application Event log. Diagnostic logging can be configured for each service separately on an Exchange server.
Open System Manager from Start -> Programs -> Microsoft Exchange
Navigate to Administrative Group. Right click on the server and select "Properties".
Under the Diagnostic logging tab, select MSExchangeIS --> Mailbox service in the Services list.
In the Categories list, select Logons category and set the logging level to Maximum.
Click ok
Diagnostic Logging can also be configured either using Exchange Management Shell or Exchange Management Console on Exchange Servers 2007 and 2010 as given below.
Open Exchange Management Shell from Start -> Programs -> Microsoft Exchange.
Configure the logging level to Expert for MSExchangeIS\9000 Private service, Logons category using the following command.
Set-EventLogLevel "MSExchangeIS\9000 Private\Logons" –Level Expert
In Exchange Server 2007, Exchange Management Console can be used for SP2 or later. For SP1 and earlier versions, use the Exchange Management Shell |
Open Exchange Management Console from Start -> Programs -> Microsoft Exchange
In the console tree, click Server configuration.
In the action pane, right click on the server and select Manage Diagnostic Logging Properties.
On the Configure Server Diagnostic Logging Properties page, click Update logging levels for services.
Select the MSExchangeIS --> 9000 Private service, Logons category and set the logging level as Expert
Click Configure
Configuring Domain Controllers
Under Domain Controller tab, configure the Default Domain Controller Policy and Object level auditing for accessing Mailbox properties and Mailbox Permission Change reports.
Log on using an administrative account.
If Windows 2003, select Default Domain Controller Security Settings from Start -> Administrative tools.
If Windows 2008, open Group Policy Management from Start -> Administrative tools.
Navigate to ForestName -> Domains -> DomainName -> Group Policy Objects -> Default Domain Controller Policy and right click to Edit it.
Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies.
Select Audit Policy.
In the right pane, double click the following policies and enable both "Success" and "Failure" settings.
Audit directory service access
Audit object access.
Click Ok.
Open Active Directory Users and Computers from Start -> Administrative Tools.
Select Advanced Features from View menu to view the advanced security settings.
In the left pane, right click on the Domain and select "Properties".
Under the Security tab, click "Advanced" to open the "Advanced Security Settings for Domain" window.
Under the Auditing tab, click "Add" to add the security principal object to which the policy will be applied.
Enter the object name as "Everyone" and click ok. This opens the "Auditing Entry for the domain"
Select the following Access
Write All Properties
Delete
Modify Permissions
All Extended Rights
Specify the Apply Onto field as follows
If Windows Server 2003, Select "User Objects"
If Windows Server 2008, Select "Descendant User objects"
Select the type as "Successful".
Click ok.