Stellar Reporter & Auditor for Exchange Server

toogle
Stellar Reporter & Auditor for Exchange Server / 3. Getting Started / 3.5. Configuration and Settings / 3.5.2. Exchange Server Configuration Settings

3.5.2. Exchange Server Configuration Settings

Configuration Required for Auditor:

Auditor reports are generated using events recorded in Event Viewer logs. To get auditor reports following configurations are required:

1. Configuring Exchange Servers for Exchange Auditing

Diagnostic Logging should be configured in Exchange Servers to gain access to Mailbox Logon reports. Upon configuration, the mailbox logon events are recorded in the ′Application Log′ in ′Event Viewer′ and further used for generating Mailbox Logon reports. This topic explains the procedure to set the Diagnostic Logging levels using the Exchange Management Shell and Exchange Management Console.

Use Exchange Management Shell to configure Exchange Server 2007, 2010, 2013, 2016:

  1. Open Exchange Management Shell from Start -> Programs -> Microsoft Exchange.

  2. Run the following command.

Set-EventLogLevel "MSExchangeIS\9000 Private\Logons" –Level Expert

OR

Use Exchange Management Console to configure Exchange Server 2007 and 2010

  1. Open Exchange Management Console from Start -> All Programs -> Microsoft Exchange.

  2. In the console tree, navigate to Server configuration -> Mailbox

  3. Right click on the server and select Manage Diagnostic Logging Properties.

  4. On the Manage Diagnostic Logging Properties wizard page, expand MSExchangeIS --> 9000 Private and select Logons service.

  5. Set the logging level as Expert.

  6. Click Configure.

 

2. Configuring Domain Controllers for Exchange Auditing

Default Domain Controller Policy should be configured for accessing Mailbox Property Changes and Mailbox Permission Changes reports. Upon configuration, events related to mailbox permission and property changes will be recorded in the ′Security Log′ in ′Event Viewer′. Based on these event details, the Permission and Property Change reports are generated.

Configuring Default Domain Controller Policy:

  1. Log on to a Domain Controller using an administrative account.

  2. If Windows 2008 server, open Group Policy Management from Start -> Administrative tools.

  3. Navigate to ForestName -> Domains -> DomainName -> Group Policy Objects -> Default Domain Controller Policy and right click to Edit it.

  4. Navigate to Computer Configuration -> Policies-> Windows Settings -> Security Settings -> Local Policies.

  5. Select Audit Policy.

  6. If Windows 2003 server, select Domain Controller Security Policy from Start -> Administrative tools. Under Local Policies, Select Audit Policy.

  7. In the right pane, double click the following policies and enable "Success" and "Failure" settings.

    • Audit directory service access

    • Audit objects access.

  8. Click OK.

 

3. Configuring Object level Auditing (Domain Partition)

Object level Auditing (Domain Partition) should be configured for accessing Mailbox Property Changes and Mailbox Permission Changes reports. Upon configuration, events related to mailbox permission and property changes will be recorded in the 'Security Log' in 'Event Viewer'. Based on these event details, the Permission and Property Change reports are generated.

  1. Open Active Directory Users and Computers from Start -> Administrative Tools.

  2. Select Advanced Features from View menu to view the advanced security settings.

  3. In the left pane, right click on the Domain and select "Properties".

  4. Under the Security tab, click "Advanced" to open the "Advanced Security Settings for Domain" window.

  5. Under the Auditing tab, click "Add" to add the security principal object to which the policy will be applied.

  6. Enter the object name as "Everyone" and click ok. This opens the "Auditing Entry for the domain"

  7. Specify the Apply Onto field as follows

    • If Windows Server 2008, Select "Descendant User objects"

    • If Windows Server 2003, Select "User Objects"

    • Select "Successful" for the following Access

      • Write All Properties

      • Delete

      • Modify Permissions

      • All Extended Rights

    • Click OK.

 

4. Configuring Object level Auditing (Configuration Partition)

Object level Auditing (Configuration Partition) should be configured for accessing Organization Change reports. Upon configuration, events related to organization changes will be recorded in the 'Security Log' in 'Event Viewer'. Based on these event details, the Organization Change reports are generated.

  1. Open ADSI Edit from Start -> Administrative Tools.

  2. Select Configuration Partition.

  3. In the left pane, right click on the CN=Configuration and select "Properties".

  4. Under the Security tab, click "Advanced" to open the "Advanced Security Settings for Configuration" window.

  5. Under the Auditing tab, click "Add" to add the security principal object to which the policy will be applied.

  6. Enter the object name as "Everyone" and click ok. This opens the "Auditing Entry for Configuration"

  7. Select the following Access

    • Write All Properties

    • Delete

    • Modify Permissions

    • All Extended Rights

    • Create all child objects

    • Specify the apply Onto field as follows

      • If Windows Server 2003, Select "This object and all child objects".

      • If Windows Server 2008, Select "This object and all descendant objects".

    • Select the type as "Successful".

    • Click OK.