Active Directory based Microsoft Exchange Mailbox and Group Reports
Microsoft Exchange uses the Active Directory as the primary store for Exchange mailboxes and mail-enabled groups. The need to have insight into their state is thus important for mail management, and Microsoft Exchange Mailbox and Group Reports provide organizations this insight.
ACTIVE DIRECTORY BASED EXCHANGE MAILBOX AND GROUP REPORTS
The following is a list of the Top-20 Active Directory based Exchange Mailbox and Group Reports that are vital for mail management and may also be important for IT audit and compliance –
I. Security State Reports –
The following Exchange reports provide insight into the state of Exchange mailboxes and groups –
- All mailbox-enabled or mail-enabled accounts
- All mail-enabled security and distribution groups
- All recently mail/mailbox enabled accounts, and all recently mail-enabled groups
- All mail/mailbox-enabled accounts for which proxy addresses are specified
- All mail-enabled groups for which proxy addresses are specified
- All mail/mailbox-enabled accounts / groups that are hidden from Exchange address lists
- All mailbox-enabled accounts with custom sending message size restrictions specified
- All mailbox-enabled accounts with custom receiving message size restrictions specified
- All mailbox-enabled accounts that can only accept messages from specific users
- All mailbox-enabled accounts with custom recipient limits specified
- All mailbox-enabled accounts with custom storage limits specified
- All mailbox-enabled accounts with custom deleted-item retention settings specified
- All mailbox-enabled accounts with Outlook Web Access (OWA) enabled
- All mailbox-enabled accounts with Outlook Web Access (OWA) disabled
- All mailbox-enabled accounts with Outlook Mobile Access enabled
II. Delegated Administrative Access Reports –
The following Exchange reports provide critical insight into who all can modify* the state of
Exchange mailboxes and groups, i.e. who all have sufficient privilege to modify their state –
| * SECURITY NOTE – It is very important to understand that where all a user/group has specific permissions in Active Directory is NOT the same as who is delegated what administrative access in Active Directory. In order to correctly determine who is delegated what access, one needs to determine resultant access in Active Directory. Also, depending on the specific report, it may not be sufficient to determine resultant access on just one object. |
|
- Who can mail-enable / mailbox-enable a domain user account, and which ones?
- Who can mail-enable a domain security group, and which ones?
- Who can change message size-restrictions on mailbox-enabled accounts, and on which ones?
- Who can change storage-limits on mailbox-enabled accounts, and on which ones?
- Who can enable/disable OWA on mailbox-enabled accounts, and on which ones?
These delegated administrative access reports are absolutely mission-critical to security because
they reveal exactly who has the ability to change the state of Exchange mailboxes and groups.
How to Generate these Group Reports:
Organizations generally have two predominant reporting options to fulfill their AD reporting needs,
and most prefer to use reporting tools, especially to fulfill their delegated access reporting needs.
The Microsoft-endorsed Gold Finger Active Directory reporting tool can also generate these reports.
| 
