Spotlight on Exchange 2010: Delivery Reports Part II (for Administrators)


In my recent post Spotlight on Exchange 2010: Delivery Reports, I discussed Delivery Reports from an end-user perspective. In this post I'll review the different things administrators can do with message tracking. We'll discuss disclosure and privacy control settings and do a quick review on which roles have access to message tracking and how to grant access to a user or group of users.

Disclosure and privacy control


There are two settings that can be modified in the organizational configuration to change the level of disclosure of sensitive items in Delivery Reports: Read status reporting and subject logging.














Feature


Default Setting


Read Status Reporting


Disabled


Subject Logging


Enabled


Read Status Reporting


If this feature is enabled, a user requesting the Delivery Report for a particular message can see if that message was marked as read in the recipient's mailbox. Unlike read receipts, read status does not require a separate user action, if the message was marked as read at some moment by the email client, we report the status change and subsequent "mark-as-unread" activity won't affect the read status of the message.

Set-OrganizationConfig -ReadTrackingEnabled $true

Read status reporting is disabled by default, and can be enabled for every user in the organization by executing the following cmdlet in PowerShell:

After doing this, every Delivery Report shown to a user will include the read status of the message in the recipient's mailbox, for all the recipients in the organization, as we can see the following screen capture:


Keep in mind that if a message is marked as "Read", it means that the email client marked that message as read; both OWA and Outlook will, by default, mark messages as read if they are shown in the preview pane.

To give administrators more granular control over this feature once it is enabled in the organization, administrators can select individual users and disable read status reporting for messages in their mailboxes. This can be useful for users that handle sensitive information and the act of reading those messages should be kept hidden from others. For example, to disable the read status reporting for user Lubor Kollar from the Legal department, the administrator would execute the following PowerShell cmdlet:

Set-Mailbox "Lubor Kollar" -MessageTrackingReadStatusEnable $false

As we can see in the following Delivery Report, the read event is not being reported for the user:


Subject Logging


Administrators can also choose if the subject line for messages is stored in the message tracking logs for all emails sent or received within the organization. This is enabled by default, and can be disabled by the on-premise administrators. Disabling this feature is not an available option for datacenter administrators.

Before making the decision to disable this feature, administrators should consider the impact of the change to the end user's experience. Disabling subject logging will make it impossible to search for Delivery Reports using the subject field, so administrators should alert users that the subject field has to remain empty in all Delivery Report searches.

Get-TransportServer | Set-TransportServer -MessageTrackingLogSubjectLoggingEnabled $false
Get-MailboxServer | Set-MailboxServer -MessageTrackingLogSubjectLoggingEnabled $false

To suppress the logging of message subjects in the Message Tracking logs, on-premise administrators have to disable Subject Logging on each Mailbox Server and Transport server in the organization. For multi-role servers administrators would only have to disable this for either of the roles. Administrators can use the following PowerShell cmdlets to disable Subject Logging in all servers within the organization:

Administrative Roles


Currently users in the following security role groups can read Delivery Reports on behalf of other users:


  • Organization Management
  • View-Only Organization Management
  • Recipient Management
  • Records Management

New-ManagementRoleAssignment "Message Tracking - Help Desk" -Role "Message Tracking" -SecurityGroup "Help Desk"
Add-RoleGroupMember "Help Desk" -member msteele

To add Delivery Reports capabilities to the Help Desk role group and add the user Mark Steele as a member of the Help Desk group, execute the following PowerShell cmdlets:

So, the next time Mark Steele logs into ECP he will be able to use the "Select what to manage" dropdown to access the ECP Help Desk view for the organization; then by clicking on the "Reporting" tab he will access the administrator view of the Delivery Reports search pane, as shown on the screen shot below:


In the screenshot we can also see that the Administrator's view of the Delivery Reports search panel is somewhat different from the user view. In this view Administrators and Help Desk personnel can select a user mailbox using the "Mailbox to Search" field and make searches on behalf of that user in exactly the same manner that the selected user would.

- Alexis Delgado






Share this post :

















Comments (2)
  1. Michael Dragone says:

    Is there any way for the end user to disable the Read Status Reporting from Outlook or OWA? Or must it be done by an administrator in EMS?

  2. Bruno Frulleux says:

    Good feature, and the granular control is great. One question though: why is the cmdlet parameter for read status different on the the organization level (-ReadTrackingEnabled) than on the individual mailbox level (-MessageTrackingReadStatusEnable)? It seems confusing to have 2 parameters to manage the same feature.

Comments are closed.

Skip to main content