I am in a situation where I believe my Windows Systems Engineer is giving full access to upper management's mailboxes. After viewing the Administrator Audit Logs, I found entries similar to this:
Date: Random Dates/Times
User: The Accused
Object Modified: Upper Management Mailbox
Cmdlet: Add-MailboxPermission
Parameters: Identity=Upper Management User, User=The Accused, AccessRights=Full Access
I'm doing this off memory, so that may not be precise. Seems pretty suspicious, but I have a discrepancy that is preventing me on taking action. Although there is no correlation between the dates and times, there is however, a Remove-MailboxPermission Cmdlet that runs exactly 6 minutes after the Add-MailboxPermission log entry every time that I can find. This led me to believe there could be something automated changing permissions, but I honestly cannot think of anything.
Anyone's thoughts on this would be appreciated.
Phillip Buzzette - Entry Level IT Support