Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Exchange Mailbox Auditing

Previous Next

Exchange Mailbox Auditing
Introduction
Exchange Mailbox Auditing page
Exchange Mailbox Auditing list
Exchange Auditing wizard

Introduction

Previous Next

Introduction

Exchange mailbox auditing helps tighten enterprise-wide change and control policies by tracking user and administrator activity such as user account changes, delivery restriction changes, send on behalf updates, and more. With these real-time alerts and in-depth analysis and reporting capabilities, your Exchange infrastructure is always protected from exposure to suspicious behavior or unauthorized access and kept in compliance with corporate and government standards.

* 
NOTE: Agent processing of Exchange auditing and protection configurations may slow down initial user login access or cause timeouts if many user logins occur at the same time. To avoid this issue, Quest recommends that changes to mailbox auditing or protection configurations be performed during maintenance intervals or other periods of low user mailbox activity.

Before the system is returned to normal load, one user should log on to Outlook Web Access (OWA), Outlook (Outlook for Mac) clients. This triggers the agent to process the mailbox auditing and protection configuration changes when the fewest logins are occurring.

* 
NOTE: Starting the agent on Exchange mailbox servers in large organizations during periods of heavy user mailbox activity, can also cause service interruptions to Outlook users while the clients reconnect. To avoid this, Quest recommends that the agent be scheduled for periods of reduced user activity.

If necessary, you can disable forcing Outlook reconnections on a server-by-server basis. Contact Quest Technical Support for additional information.

* 
NOTE: To eliminate auditing of automated tasks, the agent attempts to automatically exclude auditing of mailboxes accessed by Blackberry Enterprise Server (BES) or similar service accounts. These accounts have both ‘Receive All’ and ‘Administer Information Store’ rights on the mailbox database. If these explicit rights are granted to user accounts, those accounts are also excluded from mailbox auditing, which may not be wanted. If necessary, you can disable this automated exclusion on a server-by-server basis. Contact Quest Technical Support for additional information.

To enable mailbox auditing, you define a mailbox auditing list that contains the directory objects whose mailbox activities you want to audit. Change Auditor for Exchange generates shared mailbox events for shared mailbox, room and equipment resources, and for any other mailboxes that the user has identified as shared. See the Managing Shared Mailboxes appendix for more information.

In Change Auditor, some mailbox events are disabled by default due to the potentially high volume of events that can occur. To captured these events, enable them using the Audit Events page of the Administration Tasks tab.

 
* 
IMPORTANT: When the Message read by non-owner event is enabled and a mailbox is moved from one mailbox store to another, Change Auditor generates an event for every email in the mailbox that is being moved. For example, if a user has 1,000 emails in their mailbox, you receive 1,000 Message read by non-owner events in Change Auditor.

To avoid generating these events, do not add the user account for the mailbox to be moved to the list on the Exchange Mailbox Auditing page on the Administration Tasks tab.

Exchange Mailbox Auditing page

Previous Next

Exchange Mailbox Auditing page

To enable mailbox auditing, you must first specify the mailbox activity to audit. To do this, you will use the Exchange Mailbox Auditing page, which displays when you select Exchange Mailbox from the Auditing task list in the navigation pane of the Administration Tasks tab.

 

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for information about how to gain access.
 
* 
NOTE: The directory objects listed on this page only apply to the events contained in the Exchange Mailbox Monitoring and Exchange ActiveSync Monitoring facilities. This list does not apply to any of the other Exchange facilities.

The Exchange Mailbox Auditing page contains a list of the directory objects whose mailboxes are to be audited. If a directory object is not listed on this page, its mailbox will not be audited. To add a directory object to this list, click Add. Once added, the following information is displayed:

Type

Displays the type of directory object selected for Exchange Mailbox auditing (such as User, Group, Container, DomainDNS, OrganizationalUnit, or BuiltinDomain)

Events

Indicates the type of events to audit:
Non-owner
Non-owner or Owner (only applies to individual user objects)

To change this setting, place your cursor in this cell, click the arrow control, and select the appropriate option from the list.

* 
NOTE: ‘By owner’ events are disabled by default and need to be enabled to capture these events if the Non-owner or Owner option is selected.
Scope

Displays the scope of coverage:

Object
One Level
Subtree

To change this setting, place your cursor in this cell and select the appropriate option from the list.

Exclude

Indicates whether mailboxes in the directory object are audited (Exclude = No) or excluded from auditing (Exclude = Yes).

To change this setting, place your cursor in this cell, click the arrow control, and select Yes to exclude the directory object or No to include the directory object in the auditing process.

Status

Indicates whether the audit entry for this directory object is enabled or disabled. Disabled entries have no effect on auditing.Disabled entries can be re-enabled later.

To change this setting, place your cursor in this cell, click the arrow control, and select Enabled to enable the audit object or Disabled to disable the audit object.

Exchange Mailbox

Displays the canonical name associated with the directory objects listed.

Name

Displays the name of the directory objects listed.

DisplayName

If applicable, this column shows the display name assigned to the directory object.

* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client redisplays the templates that meet the search criteria (that is, comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Quest Change Auditor User Guide.

Exchange Mailbox Auditing list

Previous Next

Exchange Mailbox Auditing list

The Exchange Mailbox Auditing list contains a list of the directory object’s whose Exchange Mailbox is to be either included or excluded in the auditing process. Click Add to include a mailbox in the auditing process or use the Add | Exclude toolbar option to exclude a mailbox from the auditing process.

To include an Exchange Mailbox in the auditing process:
1
Open the Administration Tasks tab.
2
Click Auditing.
3
Select Exchange Mailbox (under Applications).
4
Click Add to display the Exchange Auditing Wizard.
5
Select one of the options at the top of the page: Enterprise or This Object (default).
6
If the This Object option is selected, use the Browse and Search pages to locate and select a directory object (for example, User, Group, Container, DomainDNS, OrganizationalUnit, or BuiltinDomain) and use the Add button to add the selected directory object to the Selected Object list at the bottom of the page.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Repeat this step to add more directory objects to the Exchange Mailbox Auditing list.

7
Click Finish to close this wizard and return to the Exchange Mailbox Auditing page, where your selections are listed with a No in the Exclude cell.
* 
NOTE: From the Exchange Mailbox Auditing page, you can include a previously excluded mailbox by changing the setting in the Exclude cell. Use one of the following methods:
Place your cursor in the Exclude cell of the mailbox to include, click the arrow control, and select No.
Right-click the mailbox entry and click Audit.
8
By default, only Non-Owner events are selected for auditing.

For individual user mailboxes, you can change this to include ‘By Owner’ events as well. To do so, place your cursor in the Events cell, click the arrow control, and select the Owner, Non-Owner option from the list.

* 
IMPORTANT: Selecting ‘By Owner’ auditing for many mailboxes can produce a large number of events. This adversely affects Change Auditor auditing and in severe cases the performance of the Exchange Server itself. In extreme cases, Outlook connections may be slowed or dropped. Select owner auditing for at most only a few critical mailboxes.
* 
NOTE: ‘By Owner’ events are disabled by default. Therefore, you need to enable these events from the Audit Events page on the Administration Tasks tab before Change Auditor processes them.
* 
NOTE: Auditing normal mailboxes where access permission is granted to many delegates (more than 10), can produce large numbers of non-owner events. This will adversely affect Change Auditor auditing and in severe cases, the performance of the Exchange Server itself. If these mailboxes must be audited, add them to the Shared Mailbox list (User Defined tab) to reduce unwanted non-owner events and to improve performance. See Managing Shared Mailboxes for more information.
9
The default scope of coverage is displayed in the Scope cell. You can change this by placing your cursor in the Scope cell, clicking the arrow control and selecting the appropriate option from the list:
Object - to audit an individual object
One Level - to audit an object and its direct child objects
Subtree - to audit an object and all its subordinate objects (all levels)
To exclude an Exchange Mailbox from the auditing process:
1
Open the Administration Tasks tab.
2
Click Auditing.
3
Select Exchange Mailbox (under Applications in the Auditing task list) to open the Exchange Mailbox Auditing page.
4
Expand Add and click Exclude to display the Exchange Auditing Wizard.
5
Select one of the options at the top of the page: Enterprise or This Object (default).
6
If the This Object option is selected, use the Browse and Search pages to locate and select a directory object (for example User, Group, Container, DomainDNS, OrganizationalUnit, or BuiltinDomain) and click Add to add the selected directory object to the Selected Object list at the bottom of the page.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Repeat this step to add more directory objects to the exclusion list.

7
Click Finish to close this wizard and return to the Exchange Mailbox Auditing page, where your selections are listed with a Yes in the Exclude cell.
* 
NOTE: From the Exchange Mailbox Auditing page, you can exclude a previously included mailbox by changing the setting in the Exclude cell. Place your cursor in the Exclude cell of the mailbox to include, click the arrow control, and select Yes.

For example, if you wanted to audit all mailboxes in the Enterprise, except those belonging to the accounts in the ExchangeAdmin organizational unit, you would create two entries in the Exchange Mailbox Auditing list:
Use Add to create an audit entry for the Enterprise with Exclude = No.
Use Add | Exclude to create an audit entry for the ExchangeAdmin OU with Exclude = Yes.)
To disable an audit entry:

The disable feature allows you to temporarily disable the audit entry of a directory object without having to remove it from the Exchange Mailbox Auditing list.

1
On the Exchange Mailbox Auditing page, place your cursor in the Status cell for the Exchange mailbox whose auditing you want to disable, click the arrow control and select Disabled

The entry in the Status column for the object changes to ‘Disabled’.

2
To re-enable the auditing of a directory object’s mailbox, use the Enable option in either the Status cell or right-click menu.
To delete an Exchange mailbox from the auditing list:
1
On the Exchange Mailbox Auditing page, select the mailbox and click Delete.
2
A dialog is displayed confirming that you want to delete the Exchange mailbox from the auditing list. Click Yes.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating