Introduction Granting full access permissions to a mailbox in Exchange server should be well justified. Having received these permiss...
Introduction
Granting full access permissions to a mailbox in Exchange server should be well justified. Having received these permissions, users gain access to the mailbox content and can delete it or move to another location. Misuse of the full access permissions may lead to data losses and leaks.
http://start.netwrix.com/how_to_detect_full_access_permission_changes_to_exchange_mailbox.html
Steps (5 total)
Open the Exchange Management Shell, and run the following cmdlets:
Set-AdminAuditLogConfig – AdminAuditLogEnabled $true
Set-AdminAuditLogConfig – LogLevel Verbose (for Exchange 2013).
Set-AdminAuditLogConfig – AdminAuditLogEnabled $true
Set-AdminAuditLogConfig – LogLevel Verbose (for Exchange 2013).
Run eventvwr.msc → Applications and Services Logs → MSExchange Management → search for log with cmdlet “Add(Remove)-MailboxPermission” – where you can find information about who changed mailbox permissions, when it happened, to what mailbox and what kind of access to whom was given.
You can also find this information in Exchange Admin Center in your browser → Compliance Management → Auditing → click “View the administrator audit log”.
Also via power shell - Open the Exchange Management Shell and run the following cmdlet:
Search-AdminAuditLog –cmdlets Add(Remove)-MailboxPermission.
Search-AdminAuditLog –cmdlets Add(Remove)-MailboxPermission.
Conclusion
Works well for Microsoft Exchange 2010 and above.
No comments
Post a Comment