One of the biggest challenges for an Exchange Server Administrator is to find out who has sent an email from a shared mailbox if multiple users have send as permissions on that shared mailbox. The other scenario would be a delegate having send as permissions on his/her manager’s mailbox. Before exchange server 2010 it was almost impossible to track the emails that have been sent as some other user or shared mailbox. Now we have a feature called mailbox audit in exchange server 2010 and 2013 which can help to track who has sent email as other user or shared mailbox.
By default mailbox audit is not enabled on mailboxes. The reason is that enabling mailbox audit creates a new folder named audits under recoverable deleted items in the mailbox. This could take significant amount of space down the line and can cause mailbox size to grow. Organizations enable this feature for sensitive shared mailboxes and VIP users.
Mailbox audit logging has the following default configuration in Exchange Server 2013:
- Mailbox audit logging is disabled
- Audit log entries are retained for 90 days
- No owner actions are logged
- Some delegate and administrator actions are logged
We can run this command in Exchange Management Shell to check if mailbox audit is enabled for a user. By default it is disabled for all mail enabled users.