In today's installment of "Microsoft Exchange Server 2007 Service Pack 2 Highlight", I bring you a brief overview of how we have made auditing mailbox access easier (in the aforementioned service p...
Published Sep 04, 2009
Version 1.0
Blog Post
Rob - Yes, it's in the plans, but we were delivering the code for Access Auditing extremely late the 2010 delivery cycle. In general 2010's auditing capabilities as is surpass 2007 but we are looking at how this (and the upcoming mailbox security descriptor auditing) complement 2010's features.
Amar - In this case, Secretary is user A, Manager is user B, so if you have configured auditing at any level greater than 1 (Administrative access level) you will see the events audited. We evaluated specific options for "Not when A is a delegate of B" or 'Optionally when A is a delegate of B" but in the four years worth of case data, every critsit ever opened where auditing was used, and every deployment plan I had access to where Auditing was designed in I could not justify adding yet another level of complexity.
There are great things that can be done with this information, but I expect that there's a lot of room for our third party partners to extened and add value. I expect that because we had to decide which areas were core features and which were "Value add but not essential", and one of these is in the "This set of actions is a false positive because A is a delegate of B" area. The events themselves are designed to be easily consumed by programs (the identifier field was added specifically for short term correlation) but those programs don't exist...yet.
Amar - In this case, Secretary is user A, Manager is user B, so if you have configured auditing at any level greater than 1 (Administrative access level) you will see the events audited. We evaluated specific options for "Not when A is a delegate of B" or 'Optionally when A is a delegate of B" but in the four years worth of case data, every critsit ever opened where auditing was used, and every deployment plan I had access to where Auditing was designed in I could not justify adding yet another level of complexity.
There are great things that can be done with this information, but I expect that there's a lot of room for our third party partners to extened and add value. I expect that because we had to decide which areas were core features and which were "Value add but not essential", and one of these is in the "This set of actions is a false positive because A is a delegate of B" area. The events themselves are designed to be easily consumed by programs (the identifier field was added specifically for short term correlation) but those programs don't exist...yet.