An administrator can specify a mailbox audit policy, select groups and/or organization units, and then the LOGbinder service will set mailbox audit policy for the mailboxes in those groups and organizational units. The LOGbinder service will regularly enforce this policy, in case new mailboxes were added to the groups and organizational units—or if the policy had been changed for a mailbox.

Using LOGbinder Control Panel to set mailbox audit policy

To set mailbox audit policy, open the Input properties window, and click on the link “Mailbox Audit Policy.” (The same link is available in the Options window.)

NOTE: If the link in Options is disabled, it is because you have not yet created an Input pointing to an Exchange installation. After creating an Input you can set mailbox audit policy.

The main window (see Figure 1) gives an overview of the existing mailbox audit policy that has been set in LOGbinder. This will be empty if this is your first time setting audit policy. From here, you can (1) specify the audit policy, (2) select organizational units that the policy should apply to, and (3) select Exchange groups that the policy should apply to.

Figure 1: Mailbox Audit Policy settings

Clicking on the "Audit Policy" link will open the Mailbox Audit Policy. (See Figure 2.) Select the actions under the appropriate columns: Administrator, Delegate, and Owner. If you select None, all the other boxes will be unchecked and that type of mailbox access will not be audited.

Click the link “Set default audit policy” to use Microsoft’s default mailbox audit policy. You can continue to adjust the policy to suit the needs of your organization.

A recommendation from LOGbinder: Do not audit Owner access, leave it set to None. Auditing what a user does in his own mailbox will create a huge number of audit events, events that have very little value, and will choke your Exchange installation—as well as the LOGbinder service.

Figure 2: Mailbox Audit Policy

When finished adjusting the audit policy, click on the Close button to return to the main Mailbox Audit Policy window.

Clicking on the "Adjust Organizational Units" link to specify organizational units. (See Figure 3.) The list of all organizational units will be shown in the list. If you wish to apply to policy to organizational units, select one or more items and press the Add to Selected button.

Figure 3: Select Organizational Units

When finished selecting the organizational units, click on the Close button to return to the main Mailbox Audit Policy window.

Clicking on the "Adjust Groups" link will present the Select Groups window. (See Figure 4.) You must first filter groups. Enter at least the first three characters of the groups’ names—then press the Go button. The list of groups that match will show in the list. Select one or more groups and press the Add to Selected button. The Selected Groups list will contain the groups to which the policy will be applied. You may repeat the filtering as many times as needed.

If you press the Go button with no text in the Filter Groups box, then all groups will be listed. This is not recommended if you have a large number of groups.

Figure 4: Select Groups

When finished selecting the groups, click on the Close button to return to the main Mailbox Audit Policy window.

When you press OK, LOGbinder will save the adjustments to your mailbox audit policy.

Enforcing Mailbox audit policy

Every night, the LOGbinder service will enforce your mailbox audit policy. It will find the mailboxes that are contained in the groups and/or organizational units. If the mailbox’s audit policy does not match, LOGbinder will change its policy. LOGbinder will report on the number of mailboxes that have been adjusted. Please note that you must set the “Audit Log” management role to use this feature – See Check User Accounts and Authority section in the "Installing LOGbinder for Exchange" article.

NOTE: For performance considerations, it is recommended that you use as few groups and/or organizational units as possible. The greater the number of groups and organizational units, the longer it will take to inspect audit policy.