Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Change Auditor for Exchange 7.0.2 - Reference Guide

Notes for Change Auditor for Exchange Events

This section contains a numerical list of notes for Change Auditor for Exchange events.

Note 1

Mailbox events that originate from POP3, IMAP or WebDAV are not supported.

 

Note 2

A Message Read by Non-Owner event may replace an expected Message Moved by Non-Owner event when moving a message between mailbox stores.

When this event is enabled and a mailbox is moved from one mailbox store to another, Change Auditor generates an audited event for every email in the mailbox that is moved (for example, if a user has 1,000 emails in their mailbox, you will receive 1,000 'Message Read by Non-Owner' events in Change Auditor.) To avoid generating these events, do not add the user account for the mailbox to be moved to the list on the Exchange Mailbox Auditing page on the Administration Tasks tab.

 

Note 3

Message Permanently Deleted by Owner, Message Permanently Deleted by Non-Owner and Message Created events may be generated in place of an expected Message Moved by Owner or Message Moved by Non-Owner event when moving messages between mailbox stores.

 

Note 4

Monitoring by-owner mailbox events generates large numbers of events. Quest recommends that these events be enabled only when necessary and for the minimum number of users required.

 

Note 5

Auditing normal mailboxes (with enabled owner accounts) where access permission is granted to many delegates (more than 10), will generate extremely large numbers of non-owner events. If these mailboxes need to be audited, it is recommended that these mailboxes be added to the Shared Mailbox list (User Defined tab) to reduce unwanted non-owner events and to improve performance.

Use the Shared Mailbox feature on the Exchange Mailbox Auditing page on the Administration Tasks tab to mark a normal mailbox as ‘shared’. For more information on managing shared mailboxes, see the Change Auditor for Exchange User Guide.

 

Note 6

This event is created when a draft message is saved to a folder or when a message is copied between mailbox stores. It is not created as a result of an Outlook send message operation.

 

Note 7

Some Exchange Active Directory changes detected on Domain Controllers that are not Exchange Servers may not be reported, or may be reported with missing information.

 

Note 8

Change Auditor access control list (ACL) events, that is, discretionary access control list (DACL) and system access control list (SACL) changes, do not report inherited access control entry (ACE) changes. This event does not report inherited ACL changes.

 

Note 9

In Exchange 2010, the monitoring point was moved from the mailbox role to the client access role. All Exchange 2010 events, Outlook, and OWA, are shown as being generated on the server with the client access role, not the mailbox server.

In Exchange 2013, the monitoring point was moved back to the mailbox role; therefore, all Exchange 2013 events, Outlook, and OWA, are shown as being generated on the mailbox server.

 

Note 10

The Exchange 2013 OWA Client (as of Exchange 2013 Cumulative Update 2) does not allow this copy function; therefore, this event is not audited by Change Auditor for Exchange. This functionality can however be audited through the Outlook Client.

 

Note 11

To capture Exchange mailbox access events:
Exchange 2010: Deploy a Change Auditor agent to all Exchange 2010 CAS role servers.
Exchange 2013: Deploy a Change Auditor agent to all Exchange 2013 Mailbox role servers.

 

Note 12

Change Auditor Exchange Server Monitoring and Outlook Cached Mode:

For improved performance, Outlook offers an option to ‘cache’ requests to Exchange Server. This option is enabled by default when you configure an email account for Exchange Server. To disable this setting, select the Outlook Tools | Account Settings menu command, open the E-mail tab and click Change, and then clear the Use Cached Exchange Mode check box on the Microsoft Exchange Settings dialog.

While Change Auditor Exchange monitoring events closely track user input in non-cached Outlook and Outlook Web Access clients, this is not the case with cached-mode Outlook.

User activity in cached-mode Outlook can provide complex results with Change Auditor Exchange monitoring; the timing and order of Exchange requests is not obvious or intuitive.

This note describes a few of the effects you will see when monitoring an Outlook cached connection to Exchange Server:

Cached-mode Outlook frequently defers message copy, move and delete requests until seconds or even minutes later.
When opening cached-mode Outlook, several folders may be ‘opened’ at the same time. Outlook examines all folders with recent changes at startup.
When opening cached-mode Outlook or selecting a different mail folder, several message read events may occur at the same time. Outlook reads all new Inbox messages as they become available (independent of user activity) and then keeps local copies for reading.
When opening messages that have previously been read (or selecting messages with the preview pane enabled) you will not see a ‘message read’ event. Since cached-mode Outlook keeps local copies of the messages they never need to be read from the server again, even after closing and re-starting Outlook. The original read from the server does produce a ‘message read’ event.
When deleting messages (moving them to the Deleted Items folder), instead of ‘message deleted and moved to the Deleted Items folder’ events as in non-cached mode you will receive two events: ‘message created’ in the Deleted Items folder, and ‘message permanently deleted’ in the original folder. This is an accurate report of how cached-mode Outlook implements message deletions to the Deleted Items folder.
When permanently deleting messages (emptying the Deleted Items folder) you will see a ‘message read’ event as cached-mode Outlook obtains information from the message followed somewhat later by a ‘message permanently deleted’ event.
If the user closes cached-mode Outlook before it has a chance to synchronize permanently deleted items with the Exchange Server, it will do so the next time Outlook is started. Other clients viewing the mailbox will be able to access the ‘deleted’ items until cached-mode Outlook synchronizes with the server.

Note that you will still receive all notifications of critical non-owner events from cached-mode Outlook clients, but the timing and sequence may not be obvious. Understanding the effect that cached-mode Outlook has on your Change Auditor Exchange monitoring will give you confidence that the results you are seeing are accurate.

 

Note 13

Change Auditor for Exchange generates shared mailbox events for Exchange shared mailbox, room and equipment resources, and for any other mailboxes that the user has identified as shared. Shared mailbox events will only be generated when both of the following conditions exist:
The affected mailbox is selected for auditing (i.e., added to the Exchange Mailbox Auditing list on the Administration Tasks tab).
The mailbox is either located in an Exchange mailbox store or has been marked as a shared mailbox by the user.
* 
NOTE: As with individual mailboxes, if the shared mailbox is not added to the Exchange Mailbox Auditing list, the mailbox is not being audited and therefore no events are generated.

If the mailbox is not a shared mailbox, room or equipment resource in an Exchange mailbox store AND it has not been manually marked as a shared mailbox by the user, then normal mailbox owner or non-owner events will be generated for the affected mailboxes.

Many of the shared mailbox events are disabled by default. In order to generate these events, they must first be enabled using the Audit Events page on the Administration Tasks tab.

 

Note 14

Exchange 2010/2013/2016 stores its configuration data in Active Directory, and installing Change Auditor agents on the domain controller captures all these change actions. However, starting with Exchange 2010, Microsoft changed how they process configuration changes. Therefore, for Change Auditor to retrieve the correct ‘who’ information for these Active Directory based events it now audits Microsoft PowerShell. So you can:
Deploy an agent to all Active Directory domain controllers in the forest. However, the ‘who’ value will be missing (reported as the Exchange server computer account) from all the Exchange 2010/2013/2016 Active Directory based events.
Depending on the Exchange version you are running, deploy an agent to Exchange servers as described below. This captures the correct ‘who’ value for many of the Exchange 2010/2013/2016 Active Directory based events, but not all Exchange 2010/2013/2016 events are being audited in this scenario.
Exchange 2010: Deploy a Change Auditor agent to all Exchange 2010 CAS role servers.
Exchange 2013/2016: Deploy a Change Auditor agent to all Exchange 2013/2016 servers with the Mailbox role.
Recommended: Deploy an agent to all Active Directory domain controllers AND to all required Exchange 2010/2013/2016 servers. However, duplicate events are generated for Exchange 2010/2013/2016 Active Directory events: one from the agent auditing attribute changes on a domain controller (contains no ‘who’ value) and one from the new agent auditing PowerShell on an Exchange server (contains the correct ‘who’ value).
Note 15

ActiveSync is a feature of Exchange Server and Change Auditor for Exchange audits ActiveSync on all Exchange versions supported by Change Auditor 6.9 (Exchange 2010, 2013, and 2016).
Exchange 2010: To capture ActiveSync events, a Change Auditor agent must be deployed on all Exchange 2010 CAS role servers.
Exchange 2013/2016: To capture ActiveSync events, a Change Auditor agent must be deployed on all Exchange 2013 Mailbox role servers.
Note 16

Mailbox Folder Permissions Changed by mailbox owner events are generated even when owner mailbox auditing is not enabled, so long as the mailbox is covered by an existing Change Auditor for Exchange template. For example, when enterprise auditing is configured, or when auditing of non-owner activity for selected mailboxes, this event is still audited.

Note 17

Message Read by Owner, Message Read in Shared Mailbox, and Message Read by Non-Owner events are only generated the first time that a message is read, regardless if read by the owner or a non-owner; subsequent reads of the same message do not generate an event.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation