Exchange Server Security Reports

Microsoft Exchange Administrators need to constantly monitor various objects in Exchange, especially when granting permissions for mailboxes and public folders. Managing permission levels can be quite challenging as certain permissions are explicitly defined, while others are inherited by virtue of membership (‘who has access to what and how?’).

Exchange Admins constantly face the challenge of granting or revoking permissions to various Exchange objects and retrieve them for Internal Audit and IT Compliance purposes.

The following tasks require periodic attention when managing an Exchange environment (to name a few):

  • Enumerate list of users, groups and their permission levels set by default, as well as inherited by virtue of its membership when accessing common resources such as public folders, mailboxes etc.
  • Perform ‘Sanity checks’ on various Exchange objects to ensure adherence to IT policies & governance.
  • Retrieve configuration and security related settings defined across each object for documentation purposes.
  • Track user activities in the context of resource access and utilization.
  • Monitor security settings of individual mailboxes at the folder level.
  • Manage security settings associated with Storage Groups, rights and permissions associated with individual mailboxes, permissions defined for various distribution
    groups and client access permissions on Public Folders in an Exchange environment.
  • Manage disabled mailboxes that are part of distribution groups and have access to public folders etc.

Admin Report Kit for Exchange Server (ARKES) reports critical configuration information of various objects associated with the Exchange Server as several insightful reports. The following are some of built-in reports, which are useful for Exchange Administrators and IT Managers in managing the Exchange environment.

1. Mailbox Rights Report:

Mailbox Rights report provides information about the mailboxes and the rights that are associated with it. The final report displays mailbox related information with the rights granted and their access type (Allow or deny).

Report fields: Owner, Name, Type, Permissions, Display Name, Alias Name, Fully qualified domain name of object, First name and Last name.

You can group the report by Permissions field to enumerate the users with specific permissions corresponding to the mailboxes.

2. Mailbox Permissions Report:

Mailbox Permissions report gives information about the permissions associated with the mailbox.

Report Fields: First name, Last name, Owner, Name, Type, Permissions, Display Name, Alias Name, and FQDN of the object.

To know who has maximum permissions corresponding to a mailbox, the above report can be grouped by the
Permissions field.

To know who is owner of a mailbox, the above report can be grouped by the Owner field.

3. Mailbox default folder security:

Mailbox default folder security report gives the security settings defined on the various folders such as the Inbox, Sent Items etc. corresponding to the mailbox. The folders are listed against their corresponding permissions level for each mailbox.

Report Fields: Display Name, Alias Name, Fully qualified domain name of object, First name, Last name, Folder Name, Account Name, and Permission Level.

The above report when grouped by Permission Level would provide the Permission level of users for various folders within a mailbox.

4. Mailbox Size Report:

Mailbox Size Report provides the Mailbox size settings and other relevant details about the mailbox usage.

Report Fields: Home Server, Mailbox Store, Storage Limits Settings, Issue warning at (KB), Prohibit send at (KB), Prohibit send and receive at (KB), Mailbox, Windows NT Account, Total K, Total no of Items, Last Logon Time, Last Logoff Time, Deleted Items K, Full Mailbox Directory Name, Total no of Associated Messages, Display Name, Alias Name, Fully qualified domain name of object, First name and Last name.

To sort the Mailboxes by their Size, the above report can be grouped by ‘Total K’.

The above report when grouped by Total K would provide the top mailboxes which occupy large size in the Exchange Server.

5. Mailbox First Activity and Last Activity Report:

Mailbox Activity Report displays the dates of First activity and Last (recent) activity performed by the mailbox user.

Report Fields: Deleted Items activity date, Deleted Items message count, Deleted Items size (KB), Inbox activity date, Inbox message count, Inbox size (KB), Sent Items activity date, Sent Items message count, Sent Items size (KB), Display Name, Alias Name and Fully qualified domain name of object.

6. Mail Users Permissions report:

Mail Users Permissions report retrieves permissions associated with the mail user and its access type (Allow or Deny).

Report Fields: Display Name, Alias Name, Fully qualified domain name of object, First name, Last name, Owner, Name, Type, and Permissions.

The above report when grouped by Permissions field would give the list of users with full permissions and users with limited permissions.

7. Mail User membership reports:

Mail User membership report gives information about the groups that they are a part of. The Primary group name and their group mail ID along with the number of membership groups (groups which the user is a member of) are reported here.

Report Fields: First name, Last name, Number of Membership groups, Member Of, Member of E-mail, Primary group name, Primary group E-mail, Display Name, Alias Name and Fully qualified domain name of object.

Group the above report by Member Of to view group-wise information about the membership details of mail users.

8. Distribution Group-Members report:

Distribution Group-Members report enumerates the Distribution Groups and the corresponding details of individual members in the group. The number of individual members under the specific distribution group and their corresponding mail IDs are reported here.

Report Fields: Display Name, Alias Name, Fully Qualified domain name of object, Number of Members, Members and Member E-mail.

The above report when grouped by Members field would give the membership details of individual users in various distribution groups.

9. Distribution Group-Membership report:

Distribution Group Membership report gives membership details of the specific distribution group. Membership details pertains to the details of groups that the specific distribution group is a part of. The number of members, their respective names and e-mail ID are some additional fields in this report.

Report Fields: Display Name, Alias Name, Fully Qualified domain name of the object, Number of Members, Members and Member E-mail.

10. Distribution Group-Permissions report:

Distribution Group Permissions report displays the permissions associated and their access type (Allow or Deny) corresponding to the individual users and groups.

Report Fields: Display Name, Alias Name, Fully Qualified domain name of object, Owner, Name, Type, and Permissions.

The report when grouped by ‘Permissions’ would present the above information permission wise and allows the user to find users and groups with full-fledged permissions.

11. Public Folder Membership report:

Public Folder Membership report displays the membership details of the Public Folders.

Report Fields: Display Name, Alias Name, Fully qualified domain name of object, Number of Membership groups, Member Of, Primary group name, and Member Of E-mail.

12. Public Folder Permissions report:

Public Folder Permissions report enumerates the users and groups associated with the Public folder and their corresponding permissions. The type of permissions (Allow or deny) is also reported. This report would help IT administrators to track the maximum permissions allotted to an individual user or group against the specific public folder.

Report Fields: Display Name, Alias Name, Fully qualified domain name of object, Owner, Name, Type, and Permissions.

13. Public Folder-Client Permissions:

Public Folder Client Permissions report provides information about the Client Permissions associated with the Public folders. The Mailbox store, Public Folder Tree and the corresponding Home Server are some of the critical information reported here. The scope of the information reported can range from Specific public folders to all public folders under a specific container.

Report Fields: Display Name, Alias Name, Fully qualified domain name of object, Home Server, Mailbox Store, E-mail, Public Folder Tree, Path, Address List Name, Public Folder Description, Folder Path, and Client Permissions.

14. List of Distribution Groups/Public folders that use disabled mailboxes in their security:

Disabled mailboxes which continue to be a part of the security settings corresponding to Distribution Groups and Public Folders are displayed in this report. Mailboxes that are disabled owing to various reasons are identified and removed keeping in mind the optimum resource utilization.

Report Fields: Object Path, Object Name, Display Name, Alias Name, Fully qualified domain name of object, Owner Name, and Type Permissions.

15. Storage Groups Security Report:

Storage Groups Security report gives information about the security settings corresponding to the Storage groups. The scope of the report can be widened to include new objects i.e. administrative groups, servers, storage groups based on the users’ discretion. What if the user does not have access to the storage group? The user can still connect to the storage group and access the required information by switching to a different set of credentials. The user can also set password for the report to prevent unauthorized access and can still save the settings for repeated access.

Report Fields: Owner, Name, Type and Permissions.

A quick walk-through of ARKES

Report Scope

ARKES allows the users to define the scope of each report and makes it possible for the users to retrieve enterprise strength data or pull out precise information about an entity. The scope of reporting can be fine-tuned based on the intended usage scenario of the solution. Deciding on the appropriate report scope would save time involved in processing large amount of Exchange data.


Figure 1: Search Scope

Figure 1 shows the ‘Search Scope’ where the scope of the report generated can be restricted to include specific mailbox or can be widened to include all mailboxes within a specific container. The provision to include all containers throughout the organization or to choose specific containers also exists.

Custom Report View

ARKES allows users to specify the report fields and the Group by field to use when displaying the report. The customized report view can be stored as a template for future use.


Figure 2: New Report View

Figure 2 shows the available fields and the report fields that are selected for viewing. The users are empowered by ARKES inherent ability to customize reports and provide actionable information about Exchange infrastructure.

An Example

Let us assume that the Exchange Admin wants to enumerate the rights associated with a specific mailbox, say, David S. Robinson and the permissions granted to him in the public folders across the organization.

To list the users and groups who have rights with respect to David S. Robinson’s mailbox, the Exchange administrator can use the Mailbox Rights Report and select the corresponding mailbox of David S.Robinson from the Recipient Picker dialog as shown in the screenshot below.


Figure 3: Recipient Picker dialog


Figure 4: Screenshot of Mailbox Rights Report

Figure 4 displays the Mailbox Rights associated with David Robinson’s mailbox. The First and Last names, Owner of the mailbox are some of the relevant information reported. The ‘Name’ field displays the Name of the Individual users and Groups and their rights in the corresponding mailbox. Their permission levels and the access type (Allow or Deny) are also reported.

Let us see how ARKES displays the Permissions granted to David Robinson in various Public Folders. The Exchange administrator has to select Public Folder Permissions report and has to select the specific public folders or choose from all public folders in specific containers. In this case, if the Exchange administrator wants to know the permission granted to David Robinson across all public folders (all containers in ‘Entire Organization’).


Figure 5: Screenshot of Public Folder Permissions Report

Figure 5 displays the Public Folder names and other relevant information corresponding to David Robinson as reported by the Public Folder Permissions Report. The type of permission that David has on the listed public folders and the exact permissions granted are also reported.

For more information on ARKES, please refer our product home page.