Exchange 2007 Auditing w/Cached exchange mode enabled on client
Hi, I've been asked to investigate whether an employee with admin rights is essentially looking at things she shouldn't, specifically emails she shouldn't. I have enabled Exchange Audit logging (IS9000 Private/Message Access/Medium), and can see some events that raise some eyebrows. In a 'normal' (non-cache mode) environment, a message access event would be triggered when PersonX accesses a message in this other mailbox. All well and good. In Cached mode though, them just being connected to the server would log Message Access audits on these messages even if they haven't actively read a message they shouldn't. So my question is, when a client is using cached exchange mode in either Outlook 2007 or 2010, is there a way to see if that user has explicitly accessed a message, rather than just downloaded it (due to caching). Would be very grateful for any advice on the matter. Thanks all, James D. P.S. I've since enabled Expert logging after reviewing some of the events, although the initial ones were done with Medium logging.
December 12th, 2011 7:00am

Hi, As per my knowledge, using mailbox audit logging, you can log mailbox access by mailbox owners, delegates (including administrators with full mailbox access permissions), and administrators. No matter whether your clients are cached mode, you can log mailbox accesses. For more, you can refer to the following articles: Configuration and Mailbox Access Auditing for Exchange 2007 Organizations http://technet.microsoft.com/en-us/library/ee331009(EXCHG.80).aspx#Common Exchange 2007 Mailbox Access Auditing http://www.msexchange.org/articles_tutorials/exchange-server-2007/compliance-policies-archiving/exchange-2007-mailbox-access-auditing-part1.html http://www.msexchange.org/articles_tutorials/exchange-server-2007/compliance-policies-archiving/exchange-2007-mailbox-access-auditing-part2.html Hope it helps. If you encounter any difficulties, please let us know. ThanksSophia Xu TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
December 13th, 2011 2:20am

Hi Sophia, Thanks for the reply.. Your absolutely correct, it is logging both cached and non-cached mode message access. Now I could be wrong on this, but I believe that when this staff member has the mailbox open in cached mode, each message is being downloaded to their local OST file. During one day the audit logs indicated she had read over 15,000 messages - far too many to be read by a single person, but probably spot on if they are just downloading the message.. So what I'm trying to find out is which messages this person has actually read, rather than just downloaded. I was thinking if I access a message on my android device, that message is considered read when I get back to my desk, or webmail, or wherever.. So could there be a way to log this kind of access to messages - Read / Unread statuses? It has to be logged in the DB somewhere?
December 13th, 2011 6:16am

<bump> Any suggestions anyone?
Free Windows Admin Tool Kit Click here and download it now
December 20th, 2011 5:11am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics