Cyber-Security Windows

Exchange – Audit Full Access Permission on Mailboxes

Just recently I have come up against the need to see if a particular user is granting them self the Full Access permission on other users mailboxes. This user might be a new hired administrator or perhaps one that is leaving or even just a compromised account, regardless this is the best way that I have found to do it as Exchange is lacking a some auditing features in my opinion we will have to do this a bit long winded. For this example I am using exchange 2010 and Server 2008 R2.

  • On your exchange server open the server manager and expand the Diagnostics heading.
  • Expand the event viewer.
  • Expand Applications and Services
  • Click MSExchange Management
  • On the right hand side click Filter Current Log
  • When the dialog box opens the only selection that you will have to make will be to change the “Logged” drop down box to say “Last 7 Days” then click Ok.
  • You are now looking at the last 7 days of Exchange management logs
  • From here we will select Find on the right hand side.
  • The string that we are looking for is as follows, just replace USER with your user.
  • DOMAINUSER, InheritanceType=All, AccessRights={FullAccess}}.
  • Now by pressing “Find Next” we can filter through all the times that the User has added them self to another user’s mailbox. Then event will display as follows,
  • Cmdlet succeeded. Cmdlet Add-MailboxPermission, parameters {Identity=domain.name/OU/OU/MAILBOX, User=DOMAINUSER, AccessRights={FullAccess}}.

    USER = The user that added the permission.
    MAILBOX = The mailbox that had the permission added to it.

    Hope this helps