Auditing Mailbox Access

Bogart, Humphrey (Maltese Falcon, The)_02

Sooner or later, executives and other users with sensitive information will request some sort of special handling of their mailboxes.  For example, not long ago I was tasked with finding a way of making the mailboxes of senior execs inaccessible (even from an admin point of view) to all except the execs themselves.

Of course, this wasn’t practical and died a quiet death.  But the idea of knowing who (or what process) accesses a mailbox is very practical with Exchange 2010.

This technet article describes the process…

Because mailboxes can potentially contain sensitive, high business impact (HBI) information and personally identifiable information (PII), it’s important that you track who logs on to the mailboxes in your organization and what actions are taken. It’s especially important to track access to mailboxes by users other than the mailbox owner. These users are referred to as delegate users.

By using mailbox audit logging, you can log mailbox access by mailbox owners, administrators, and delegates (including administrators who have full mailbox access permissions). Mailboxes are considered to be accessed by an administrator only in the following scenarios:

[…]

full here…

 

Recovering deleted mail items

It’s pretty common (and yes, annoying) for people to inadvertently delete mail from time to time.

If the deletion occurs within your Exchange database’s retention period you can use the single item recovery feature to retrieve it without using backup software.

For example, let’s say items were deleted from Fred Agave’s mailbox named “fagave“. Fred is looking for mail from Napoleon with a subject containing the word “Elba”.  You can search Fred’s mailbox for all items meeting the search criteria by using the following Powershell script:

Search-Mailbox fagave -SearchQuery “from:’Napoleon’ AND Elba” -TargetMailbox “fagave” -TargetFolder “Recovered Mail” -LogLevel Full

In which, mail found via the search is copied into a folder (created by the process) named Recovered Mail.

For a more detailed treatment of this topic, go to the Technet blog…

Restoring a disabled or soft-deleted mailbox

Let’s a say a user has left the company (or perhaps gone on extended leave): their Active Directory user account was disabled or deleted and the Exchange mailbox along with it.

And let’s say they’re rehired or return; if this happens within your Exchange server’s mailbox database retention period, it’s possible to re-connect the detached mailbox object to the user’s new (or re-activated) AD account.

Here’s how.

Step 1.) Find your disconnected mailbox by running the following command from the Exchange Management Shell:

Get-MailboxDatabase | Get-MailboxStatistics | where {$_.DisconnectReason -ne $null} | ft displayname,database,disconnectreason –auto

Note: Pay attention to the mailbox database listed for the disconnected mailbox, you’ll need this to reconnect the mailbox to its original database location.

Step 2.) (If necessary) Create an AD user account to which the mailbox will be reconnected

Step 3.) Run the following PowerShell command, which reconnects the orphaned mailbox object to the AD account:

Connect-Mailbox -Identity “Mailbox Name” -Database “database name” -User AD User Name

So, for example…

Connect-Mailbox -Identity “jdoe” -Database “Database One” -User “John Doe

In which, we connected the mailbox with the name (or identity) of jdoe to the Active Directory account named John Doe.