In my recent post Spotlight on Exchange 2010: Delivery Reports, I discussed Delivery Reports from an end-user perspective. In this post I'll review the different things administrators can do with message tracking. We'll discuss disclosure and privacy control settings and do a quick review on which roles have access to message tracking and how to grant access to a user or group of users.
Disclosure and privacy control
There are two settings that can be modified in the organizational configuration to change the level of disclosure of sensitive items in Delivery Reports: Read status reporting and subject logging.
Feature Default Setting Read Status Reporting Disabled Subject Logging Enabled
Read Status Reporting
Read Status Reporting
If this feature is enabled, a user requesting the Delivery Report for a particular message can see if that message was marked as read in the recipient's mailbox. Unlike read receipts, read status does not require a separate user action, if the message was marked as read at some moment by the email client, we report the status change and subsequent "mark-as-unread" activity won't affect the read status of the message.
Set-OrganizationConfig -ReadTrackingEnabled $true
Read status reporting is disabled by default, and can be enabled for every user in the organization by executing the following cmdlet in PowerShell:
After doing this, every Delivery Report shown to a user will include the read status of the message in the recipient's mailbox, for all the recipients in the organization, as we can see the following screen capture:
Keep in mind that if a message is marked as "Read", it means that the email client marked that message as read; both OWA and Outlook will, by default, mark messages as read if they are shown in the preview pane.
To give administrators more granular control over this feature once it is enabled in the organization, administrators can select individual users and disable read status reporting for messages in their mailboxes. This can be useful for users that handle sensitive information and the act of reading those messages should be kept hidden from others. For example, to disable the read status reporting for user Lubor Kollar from the Legal department, the administrator would execute the following PowerShell cmdlet:
Set-Mailbox "Lubor Kollar" -MessageTrackingReadStatusEnable $false
As we can see in the following Delivery Report, the read event is not being reported for the user:
Administrators can also choose if the subject line for messages is stored in the message tracking logs for all emails sent or received within the organization. This is enabled by default, and can be disabled by the on-premise administrators. Disabling this feature is not an available option for datacenter administrators.
Before making the decision to disable this feature, administrators should consider the impact of the change to the end user's experience. Disabling subject logging will make it impossible to search for Delivery Reports using the subject field, so administrators should alert users that the subject field has to remain empty in all Delivery Report searches.
Get-TransportServer | Set-TransportServer -MessageTrackingLogSubjectLoggingEnabled $false
Get-MailboxServer | Set-MailboxServer -MessageTrackingLogSubjectLoggingEnabled $false
To suppress the logging of message subjects in the Message Tracking logs, on-premise administrators have to disable Subject Logging on each Mailbox Server and Transport server in the organization. For multi-role servers administrators would only have to disable this for either of the roles. Administrators can use the following PowerShell cmdlets to disable Subject Logging in all servers within the organization:
Currently users in the following security role groups can read Delivery Reports on behalf of other users:
- Organization Management
- View-Only Organization Management
- Recipient Management
- Records Management
New-ManagementRoleAssignment "Message Tracking - Help Desk" -Role "Message Tracking" -SecurityGroup "Help Desk"
Add-RoleGroupMember "Help Desk" -member msteele
To add Delivery Reports capabilities to the Help Desk role group and add the user Mark Steele as a member of the Help Desk group, execute the following PowerShell cmdlets:
So, the next time Mark Steele logs into ECP he will be able to use the "Select what to manage" dropdown to access the ECP Help Desk view for the organization; then by clicking on the "Reporting" tab he will access the administrator view of the Delivery Reports search pane, as shown on the screen shot below:
In the screenshot we can also see that the Administrator's view of the Delivery Reports search panel is somewhat different from the user view. In this view Administrators and Help Desk personnel can select a user mailbox using the "Mailbox to Search" field and make searches on behalf of that user in exactly the same manner that the selected user would.
|Share this post :|