Enabling Message Tracking for non-administrator accounts

If you work for a large organization, odds are that you may have people that you want to grant access to your Message Tracking logs that you don't want to grant rights to do much more.  Below, I'll outline the permissions necessary to grant a user or group the rights to track messages via the Message Tracking Center.

1.  In Exchange System Manager, at the Organization level, right-click and choose Delegate Control.  Grant the user or group Exchange View Only Admin permissions.

2.  On each Exchange server you want them to be able to track messages from, perform the following steps.

a.  Enable Message Tracking.  This is done in Exchange System Manager by going to the properties of the server.  The Message Tracking options are on the General tab.

b.  Grant read access to the Message Tracking log share.  Make sure that the user or group has rights to the Share as well as rights at the NTFS level.  Read rights are sufficient here.

c.  Open the WMI Management console either by going to the Computer Management, Services and Applications, WMI Control, or by simply typing wmimgmt.msc at the Run prompt.  Go to the properties of WMI Control, then go to the Security tab.  Expand Root, then highlight MicrosoftExchangeV2 and click Security.  Add the user or group and ensure that you allow the following four permissions.

1.  Execute Methods
2.  Provider Write
3.  Enable Account
4.  Remote Enable

3.  If you are accessing Message Tracking via Exchange System Manager that has been installed on your workstation, you should be good to go.  If you are accessing Exchange System Manager by logging on to a Terminal Services session on the Exchange server, then you will have to grant the user or group Log on Locally rights on the Exchange server(s).  You will also likely have to edit the Terminal Services Configuration (Windows 2000), or the Remote Desktops section (Computer properties, Remote tab, Windows 2003) and grant the user or group rights to log on via Terminal Services.

Comments (6)
  1. ...1 says:

    Luogo molto buon:) Buona fortuna!

  2. ...1 says:

    pagine piuttosto informative, piacevoli =)

  3. ...1 says:

    9 su 10! Ottenerlo! Siete buoni!

  4. ...1 says:

    E grande io ha trovato il vostro luogo! Le info importanti ottenute! ))

  5. M says:

    how you do that on Exchange Online

    1. Exchange Online doesn’t expose Message Tracking logs in the same way they are available in On-Premises Exchange. There is the Message Trace UI, and the PowerShell commands Get-MessageTrace and Get-MessageTraceDetail. Since Exchange Online utilizes RBAC to assign permissions, it is actually far easier to do than in old versions of Exchange. For an overview on RBAC (Feature Permissions), see
      In a nutshell, if you want to customize rights to only be able to do a message trace, you need to find out which Roles already include that right, then create a new Custom role based on that. For example, the Get-MessageTrace command is included in the View-Only Recipients role. So you create a new custom management role with the parent of View-Only Recipients, and then you take out the Management Role Entries (Cmdlets) that you don’t want present. Once you are done customizing, you can assign that role to a user/group.

Comments are closed.

Skip to main content