Chat now with support
Chat with Support

Change Auditor for Exchange 7.2 - Event Reference Guide

Notes

This section contains a numerical list of notes for Change Auditor for Exchange events.

Mailbox events that originate from POP3, IMAP or WebDAV are not supported.

A Message Read by Non-Owner event may replace an expected Message Moved by Non-Owner event when moving a message between mailbox stores.

When this event is enabled and a mailbox is moved from one mailbox store to another, Change Auditor generates an audited event for every email in the mailbox that is moved (for example, if a user has 1,000 emails in their mailbox, you will receive 1,000 'Message Read by Non-Owner' events in Change Auditor.) To avoid generating these events, do not add the user account for the mailbox to be moved to the list on the Exchange Mailbox Auditing page on the Administration Tasks tab.

Message Permanently Deleted by Owner, Message Permanently Deleted by Non-Owner and Message Created events may be generated in place of an expected Message Moved by Owner or Message Moved by Non-Owner event when moving messages between mailbox stores.

Monitoring by-owner mailbox events generates large numbers of events. Quest recommends that these events be enabled only when necessary and for the minimum number of users required.

Auditing normal mailboxes (with enabled owner accounts) where access permission is granted to many delegates (more than 10), will generate extremely large numbers of non-owner events. If these mailboxes need to be audited, it is recommended that these mailboxes be added to the Shared Mailbox list (User Defined tab) to reduce unwanted non-owner events and to improve performance.

Use the Shared Mailbox feature on the Exchange Mailbox Auditing page on the Administration Tasks tab to mark a normal mailbox as ‘shared’. For more information on managing shared mailboxes, see the Change Auditor for Exchange User Guide.

This event is created when a draft message is saved to a folder or when a message is copied between mailbox stores. It is not created as a result of an Outlook send message operation.

Some Exchange Active Directory changes detected on Domain Controllers that are not Exchange Servers may not be reported, or may be reported with missing information.

Change Auditor access control list (ACL) events, that is, discretionary access control list (DACL) and system access control list (SACL) changes, do not report inherited access control entry (ACE) changes. This event does not report inherited ACL changes.

In Exchange 2013 and higher, the monitoring point was moved back to the mailbox role; therefore, all Exchange events from Exchange, Outlook, and OWA, are shown as being generated on the mailbox server.

The Exchange 2013 OWA Client (as of Exchange 2013 Cumulative Update 2) does not allow this copy function; therefore, this event is not audited by Change Auditor for Exchange. This functionality can however be audited through the Outlook Client.

To capture Exchange mailbox access events:

Exchange 2013 or higher: Deploy a Change Auditor agent to all Exchange Mailbox role servers.

Change Auditor Exchange Server Monitoring and Outlook Cached Mode:

For improved performance, Outlook offers an option to ‘cache’ requests to Exchange Server. This option is enabled by default when you configure an email account for Exchange Server. To disable this setting, select the Outlook Tools | Account Settings menu command, open the E-mail tab and click Change, and then clear the Use Cached Exchange Mode check box on the Microsoft Exchange Settings dialog.

While Change Auditor Exchange monitoring events closely track user input in non-cached Outlook and Outlook Web Access clients, this is not the case with cached-mode Outlook.

User activity in cached-mode Outlook can provide complex results with Change Auditor Exchange monitoring; the timing and order of Exchange requests is not obvious or intuitive.

This note describes a few of the effects you will see when monitoring an Outlook cached connection to Exchange Server:

Note that you will still receive all notifications of critical non-owner events from cached-mode Outlook clients, but the timing and sequence may not be obvious. Understanding the effect that cached-mode Outlook has on your Change Auditor Exchange monitoring will give you confidence that the results you are seeing are accurate.

Change Auditor for Exchange generates shared mailbox events for Exchange shared mailbox, room and equipment resources, and for any other mailboxes that the user has identified as shared. Shared mailbox events will only be generated when both of the following conditions exist:

If the mailbox is not a shared mailbox, room or equipment resource in an Exchange mailbox store AND it has not been manually marked as a shared mailbox by the user, then normal mailbox owner or non-owner events will be generated for the affected mailboxes.

Many of the shared mailbox events are disabled by default. In order to generate these events, they must first be enabled using the Audit Events page on the Administration Tasks tab.

Exchange stores its configuration data in Active Directory, and installing Change Auditor agents on the domain controller captures all these change actions. However, Microsoft changed how they process configuration changes. Therefore, for Change Auditor to retrieve the correct ‘who’ information for these Active Directory based events it now audits Microsoft PowerShell. So you can:

Exchange 2013 and higher: Deploy a Change Auditor agent to all Exchange servers with the Mailbox role.
Recommended: Deploy an agent to all Active Directory domain controllers AND to all required Exchange servers. However, duplicate events are generated for Exchange Active Directory events: one from the agent auditing attribute changes on a domain controller (contains no ‘who’ value) and one from the new agent auditing PowerShell on an Exchange server (contains the correct ‘who’ value).

ActiveSync is a feature of Exchange Server and Change Auditor for Exchange audits ActiveSync on all Exchange versions supported by Change Auditor (Exchange 2013 and 2016).

Exchange 2013 and higher: To capture ActiveSync events, a Change Auditor agent must be deployed on all Exchange 2013 Mailbox role servers.

Mailbox Folder Permissions Changed by mailbox owner events are generated even when owner mailbox auditing is not enabled, so long as the mailbox is covered by an existing Change Auditor for Exchange template. For example, when enterprise auditing is configured, or when auditing of non-owner activity for selected mailboxes, this event is still audited.

Message Read by Owner, Message Read in Shared Mailbox, and Message Read by Non-Owner events are only generated the first time that a message is read, regardless if read by the owner or a non-owner; subsequent reads of the same message do not generate an event.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating