In all my years as an Exchange Server administrator the most common “whodunnit” scenario is being asked to find out who sent a specific message from a shared mailbox.
Consider a scenario where a shared “Help Desk” mailbox is used by a reasonably large team of IT staff, and they all have Send As permissions for the mailbox (for legitimate purposes such as sending out system outage and maintenance notifications).
One day a help desk operator has a brain fart and sends an email to the whole organization that causes some bad feedback.
Youve been tasked with finding the culprit and there are a few angles of investigation that you’re considering, such as finding the IP address that submitted the message and tracing that back to a workstation, trawling through sent items of help desk staff, or even just flat out asking people (this one works sometimes, don’t rule it out).
It would be a lot easier if Exchange could just tell you who sent the message.
The good news is that Exchange Server can tell you this (in Exchange 2010 SP1 or later, and Exchange 2013), using a feature called mailbox audit logging. The bad news (if you can call it that) is that the feature is not enabled by default, and needs to be turned on *before* the email is sent to capture the action in the audit log.
So, assuming mailbox audit logging is already enabled for the Help Desk mailbox, we can perform an audit log search to find out who took the Send As action at that time.
Performing Mailbox Audit Log Searches Using the Exchange Admin Center
In the Exchange admin center navigate to Compliance Management and choose Auditing. There are several items in that section but we’re interested in “Run a non-owner mailbox access report” in this case.
Set the date range you’re interested in, and then click on Select Mailboxes to add the specific mailbox you want to search. Finally, set the search type to “All non-owners”, and then click Search to begin.
After a few moments your search results should appear. If you’ve picked a large date range, or a mailbox with a lot of non-owner activity, then you may have quite a lot of results to scroll through.
But for this example we can see that someone has in fact performed a “Send As” on the date in question, with the matching subject line of the email that causes all the fuss to begin with. So it seems we have our culprit, caught red handed, thanks to mailbox audit logging.
Performing Mailbox Audit Log Searches Using the Exchange Management Shell
Naturally we can also perform this search using PowerShell and the Search-MailboxAuditLog cmdlet.
For example, to search the “Help Desk” mailbox audit logs between the 13th and 15th of January 2014, the following command is used.
[PS] C:\>Search-MailboxAuditLog -Identity "Help Desk" -LogonTypes Delegate -StartDate 1/14/2014 -EndDate 1/15/2014 RunspaceId : d8142847-166a-488a-b668-f7b84c3f3ceb MailboxGuid : a0f10db1-5268-47a5-8f71-d1e65f55c653 MailboxResolvedOwnerName : Help Desk LastAccessed : 14/01/2014 9:31:08 PM Identity : exchange2013demo.com/Company/Resources/Help Desk IsValid : True ObjectState : New
We can see a result, and the time stamp matches the email message that was sent, but little else is shown about the event. To see more we need to use the -ShowDetails parameter.
[PS] C:\>Search-MailboxAuditLog -Identity "Help Desk" -LogonTypes Delegate -StartDate 1/14/2014 -EndDate 1/15/2014 -Sho
Details
RunspaceId : d8142847-166a-488a-b668-f7b84c3f3ceb
Operation : SendAs
OperationResult : Succeeded
LogonType : Delegate
ExternalAccess : False
DestFolderId :
DestFolderPathName :
FolderId :
FolderPathName :
ClientInfoString : Client=MSExchangeRPC
ClientIPAddress : 192.168.0.181
ClientMachineName :
ClientProcessName : OUTLOOK.EXE
ClientVersion : 15.0.4551.1004
InternalLogonType : Owner
MailboxOwnerUPN : Sarah.Jones@exchange2013demo.com
MailboxOwnerSid : S-1-5-21-2175008225-1847283934-4039955522-1471
DestMailboxOwnerUPN :
DestMailboxOwnerSid :
DestMailboxGuid :
CrossMailboxOperation :
LogonUserDisplayName : Sarah Jones
LogonUserSid : S-1-5-21-2175008225-1847283934-4039955522-1471
SourceItems : {}
SourceFolders : {}
SourceItemIdsList :
SourceItemSubjectsList :
SourceItemFolderPathNamesList :
SourceFolderIdsList :
SourceFolderPathNamesList :
ItemId :
ItemSubject : Wheeee!
DirtyProperties :
OriginatingServer : E15MB1 (15.00.0775.022)
MailboxGuid : a0f10db1-5268-47a5-8f71-d1e65f55c653
MailboxResolvedOwnerName : Help Desk
LastAccessed : 14/01/2014 9:31:07 PM
Identity : RgAAAAD2fF/dZobvQoWbbV7P6N7eBwD7Y5OF+DDRQZRz1a4+yUyzAABaldDBAAD7Y5OF+DDRQZRz1a4+yUyzAAB
aldDCAAAJ
IsValid : True
ObjectState : New
As you can see we get the same information that reveals the sender of the email message, as well as some extra info that may be useful as well.
Summary
In this article I’ve used a common scenario to demonstrate the value of mailbox audit logging, as well as demonstrating how to perform simple mailbox audit log searches. Hopefully by now you can see the value of mailbox audit logging and are considering enabling it in your organization, even if only for your most important/shared mailboxes.
This article Using Exchange Server Mailbox Audit Logs to Find the Sender of an Email from a Shared Mailbox is © 2014 ExchangeServerPro.com
Get more Exchange Server tips at ExchangeServerPro.com
