Using Exchange Control Panel (ECP) to manage an Exchange Organization (Part 4)

If you would like to read the other parts in this article series please go to:

Auditing Reports…

Exchange Server 2010 provides report capabilities and it can be just a couple of clicks away when using Exchange Control Panel. On the main page (Figure 01) we have several options, such as:

  • Non-owner mailbox access report

  • Litigation Hold Report

  • Administrator role group report

  • Export mailbox audit logs

  • Export the administrator audit log


Figure 01

Our first Audit Report is the Run a Litigation hold report… Litigation Hold is the process where an administrator can enable a mailbox so that any message modified or deleted by the user will be preserved if the litigation is enabled. This feature is critical when an organization wishes to keep electronic data of a specific user. This feature is only possible due the Recoverable Item Folder architecture changes introduced in Exchange Server 2010 which tracks the information, and the new design enables 4 folders that will be used by the feature: Deletions, Versions, Purges and Audit.

Let’s go to Users & Groups, then Mailboxes, and double click on a user, then go to the Mailbox Features section, and by default Litigation Hold is disabled. Select and click Enable (Figure 02), and a dialog box will inform you that it may take up to 60 minutes to be active, just click Close, and then Save.


Figure 02

As part of the process a new page will be displayed where we can add a note and a URL that will provide more information to the end-user (It shows the information only if the user is using Outlook 2010 or Outlook Web App), as shown in Figure 03. After defining a Note and URL, click OK.


Figure 03

Okay, now that we have litigation hold in place, let’s go to Roles & Auditing. Then click Run a litigation hold report.., the new page will have options to perform a query such as: Start and End Date and a specific mailbox, as shown in Figure 04. The results will contain information if the litigation hold was enabled or disabled on the mailboxes listed in the report.


Figure 04

Another report available is Run an administrator role group report… The Administrator Audit Log is enabled by default on new Exchange Server 2010 Service Pack 1 implementations and a specific mailbox is assigned to keep all the information. When we click on the report we have the same options to narrow down the results (start and end date and a specific Role group). The results (Figure 05) will show all changes and on the right side we can get more details about a specific entry when selected on the right hand side.


Figure 05

We can also export the results of our previous step by clicking Export the Administrator Audit Log on the main page of Auditing. A new page with the same query option will be shown (figure 06) where we need to define which mailbox will receive the report (in our article let’s use Administrator). Click Export. The user specified here will receive the report with an XML attached to it however, by default Outlook Web App blocks XML files. If you want to use Outlook Web App you need to allow that file extension in your current OWA Mailbox Policy.


Figure 06

Time to run the Run a non-owner mailbox access report, but before doing that we must enable the Mailbox Audit on the mailboxes. When we have that feature enabled at mailbox level then mailbox audit log information will be recorded in the Audit subfolder of the Recoverable Item Folder structure.

Let’s enable the Mailbox audit, using the following syntax: Set-Mailbox <Mailbox> -AuditEnabled $true

After enabling the mailbox audit at mailbox level, we can click Run a non-owner mailbox access report on the main page of Auditing, and on the new page we can define date range, a specific mailbox and if the access was made by a couple of entities (All non-owner, Administrator and so forth), as shown in Figure 07.


Figure 07

After finding the required information, we can always export the results using the option Export Mailbox Audit Logs on the same main Auditing page, as shown in Figure 08. The only difference is that the results are not shown but sent to the mailbox specified on the Send the auditing report to field.


Figure 08

Managing ActiveSync Device Policy…

Using ECP we can control the ActiveSync Device Policy in place, create new ones and also assign the ActiveSync policies to a specific mailbox. The main page of ActiveSync Device Policy (Figure 09) will list all current policies while we can do changes by just double clicking on the desired policy or clicking the Details button, we can also delete policies using the delete button.


Figure 09

In order to create a new policy, click New… and on the New Exchange ActiveSync Policy page, the first thing to define is the name of the new policy. After that we can define security, sync and device settings, as shown in Figure 10. In this article let’s create a restricted ActiveSync Policy where we enforce strong passwords and disable some phone capabilities such as text messaging, removable storage access, camera and infrared, and yes your users will hate you!


Figure 10

Now, that we have a new policy created by ECP, we can use the same tool to associate the new policy to the mailboxes. Let’s go to Users & Groups, click Mailboxes and then double click the desired user, expand the Phone & Voice Features sections and here, we can define if Exchange ActiveSync will be enabled or not for the user (Figure 11). Then, we can move on and click Edit…


Figure 11

In the new page, click Browse and a list of the Exchange ActiveSync Policies will be listed. Pick the new one that we have just created in the previous step (Figure 12), and use the same settings to manage the end-user mobile device


Figure 12

Managing ActiveSync Access

In Exchange Server 2010 Service Pack 1 the ActiveSync Access was introduced, which is a feature that allows the administrator to control how new devices will join the current ActiveSync infrastructure. In order to configure the basic settings for this feature, click Phone & Voice, and then click on the first Edit button located in the Exchange ActiveSync Access Settings area, as shown in Figure 13.


Figure 13

The Exchange ActiveSync Settings page is pretty straight forward. Basically, on the connection settings we can define the default setting when a new device connects and starts synchronizing with Exchange through ActiveSync and when the device is not managed by a rule or personal exemption. The possible options are: Allow, Block or Quarantine (ABQ). We are going to be radical in this article series, so let’s select Quarantine as the default method. The second option is which mailbox will be notified when a new device is quarantined, we just need to click Add and pick a mailbox up from the Global Address List. The last configuration part is about the message that the user trying to connect will receive in his/her Inbox. Note: this message is not going to show in the user’s device but in the user’s Inbox. After that, click Save. (Figure 14)


Figure 14

In the same ActiveSync Access area we also have two extra sections which are Quarantined and Device Access Rules, as shown in Figure 15.


Figure 15

We can also create Device Access Rule (Figure 16), where we can define a specific access to a device family and/or model. We can take advantage of the design of the solution by defining specific devices which were tested with Allow Access, then block some devices that you know that may cause some performance issues and configure the ActiveSync Access Policy to quarantine all other devices that are unknown at this moment.


Figure 16

Conclusion

In this final article we went through the process of checking Audit Reports and also ActiveSync features that can be managed through Exchange Control Panel.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top