Exchange 2007 : Mailbox Auditing

Enable Mailbox Auditing in Exchange 2007 SP1

From the Exchange Shell on the Mailbox Database Server(s) run the following command to enable auditing:
   Set-EventLogLevel “MSExchangeIS\9000 Private\Logons” -level low
This command will return no feedback to the end-user.

You can check that this setting has been applied using the command:
   Get-EventLogLevel

Now monitor the Application event log for Event IDs 1013 and 1016
 
Enable Auditing in Exchange 2007 SP2

SP2 introduces new features for Mailbox Access auditing; a new event log is created on the Exchange Server and it is possible to audit Folder Access, Message Access, Extended Send As and Extended Send On Behalf.

Enable Folder Access using the command:
   Set-EventLogLevel “MSExchangeIS\9000 Private\Folder Access” -level low

You can create exceptions to auditing for specific accounts such as service accounts using the command:
   Get-MailboxDatabase –identity ‘SERVER’ | Add-ADPermission –User ‘account’ –ExtendedRights ms-Exch-Store-Bypass-Access-Auditing –InheritanceType All

You can now view auditing events in the Exchange Auditing Event Log.