Enable Mailbox Auditing in Exchange 2007 SP1
From the Exchange Shell on the Mailbox Database Server(s) run the following command to enable auditing:
Set-EventLogLevel “MSExchangeIS\9000 Private\Logons” -level low
This command will return no feedback to the end-user.
You can check that this setting has been applied using the command:
Now monitor the Application event log for Event IDs 1013 and 1016
Enable Auditing in Exchange 2007 SP2
SP2 introduces new features for Mailbox Access auditing; a new event log is created on the Exchange Server and it is possible to audit Folder Access, Message Access, Extended Send As and Extended Send On Behalf.
Enable Folder Access using the command:
Set-EventLogLevel “MSExchangeIS\9000 Private\Folder Access” -level low
You can create exceptions to auditing for specific accounts such as service accounts using the command:
Get-MailboxDatabase –identity ‘SERVER’ | Add-ADPermission –User ‘account’ –ExtendedRights ms-Exch-Store-Bypass-Access-Auditing –InheritanceType All
You can now view auditing events in the Exchange Auditing Event Log.