Hi , Can we do audit mailbox access in exchange 2007. All what I want is to see who has been accessed the perticular mailbax . Regards , PKOK

Set-EventLogLevel "MSExchangeIS\9000 Private\Logons" -Level Low then you will see AuditEvents in Application log.

Hi Lasse, Thanks for the solution. I have enabled that today. So I will check the mail box access details in Application log incouple of days. I have another question regarding Windows 2003 certificate services . which forum do I need to use. Cheers , PKOK

I have a few questions conserning this. my first is where are these logs stored. my second is if I do raise the logging level to high how much data is going to be stored (as in will i have to dedicate aditional storage to this???) any help would be welcome.

I would like to be able to see if anyone is opening other users mailbox. I am new at this and the owners of the company want this ability to see who is snooping around. Where do I run this command?

Hi, You run the command from an exchange 2007 command shell. Leif

Hi, These events are stored in the event logs - there is no need for additional storage if you configure the event log with a size limit - it will just start all over when its full. Leif

Hi, Thanks for your command. It means that you will get audit event access for all the mailboxe of the Exchange Organization. Is there any other workaround or solution if I want to get only audit events for only one mailbox? regards Richard

Any type of access in particular? I know NetWrix Non-owner Mailbox Access Reporter monitors when administrators or other users have gained access to another user’s mailbox. And it’s free.

This is an old thread :) But anyway, Microsoft has, in the meantime, added some better auditing functionality in Service Pack 2 (SP3 has also since come out and also includes the features.) See http://msexchangeteam.com/archive/2009/09/03/452310.aspx

I am dealing with a very serious issue and want to be 110% correct (actually I hope I am wrong). What I am trying to prove\disprove is if a admin used their administrative access privledges to view calendars without the knowledge or consent of the owners. I have checked delegate assignments and he has not been granted rights to these calendars. I dont have the actual event log entry but I have the exported CSV version listed below. We are running Exchange 2007 SP3. I have changed user names and tried to sanitize the log to protect the innocent. The person in question claims he is innocent and is not abusing his admin privedges. Tried to track down what the event 10100 & 10102 means but cannot get any real proof. He also is questioning the logs themselves which were done by our internal compliance team. I really dont want to escalate this because if it does it can result in disciplinary action. We want to keep it in our department and just want to warn him. Can you advise me. 1/19/2011 8:25:30 PM MSExchangeIS Auditing Information Mailbox Acces s Auditing 10100 N/A SERVERXXXX The folder /Calendar in Mailbox ''User Name'' was opened by user XXXXHQ\adminID 1/19/2011 8:25:30 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B9131E@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:30 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <73284C20E0FFA04CB101A78D070D595115573271D2@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91299@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B9129A@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B9129B@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91368@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91375@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91376@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91379@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B9137A@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID