Exchange auditing logs "Access is denied (5)" (Full Version)

All Forums >> [Microsoft Exchange 2007] >> Compliance


RustyShackleford -> Exchange auditing logs "Access is denied (5)" (11.Feb.2013 12:04:13 PM)

I just enabled auding of mailbox folder access. The log entries are successfully created and I can see them. However, my co-workder cannot. When he tries to access the Exchange auditing log he gets "Event viewer cannot open the event log or custom view. Verify the Event log service is running or query is too long. Access is denied (5)."

We are both domain admins. However, I am an Exchange Org admin and he is not. Bing \ Google provided little help. However, the only useful hit I found did specifically mention being an Exchange Org Admin.

I find it quite surprising that someone must be an Exchange Org Admin to see these specific logs. Our compliance officer will need to see these logs but I cannot give him high level Exchange admin rights.

Is there another way to provide access to Exchange auditing logs?

Thank you

richardjenson7 -> RE: Exchange auditing logs "Access is denied (5)" (25.Feb.2013 3:45:12 AM)

It seems to be windows permission problem.
Your user should be in admin group on target server.

take a look at this link

RustyShackleford -> RE: Exchange auditing logs "Access is denied (5)" (4.Mar.2013 8:09:00 PM)


Thank you for the reply. I checked and my co-workers do have admin rights on the server. They are all domain admin and domain admins have local administrator rights.


RustyShackleford -> RE: Exchange auditing logs "Access is denied (5)" (5.Mar.2013 12:44:03 PM)

Found it - finally!

The volume of logged audit events is directly related to the load on a server together with the number of user operations of the audited type occurring at any time. Because the Application log is also a source of diagnostic and troubleshooting data, Access Auditing does not log events to the Application log. In Exchange 2007 Service Pack 3 (SP3), installing the Mailbox server role on a server creates a new event log. This is the Exchange Auditing event log. By default, the Exchange Auditing event log is located under \Exchange Server\Logs\AuditLogs. On a Windows Server 2008-based computer, this event log is located under Applications and Services Logs\Exchange Auditing. The default file location for this log file is %PROGRAMFILES%\Exchange Server\Logging\Auditlogs. The default access control list (ACL) on the Exchange Auditing log allows the following permissions:
Exchange Recipient Administrators: Read and Clear access
Exchange Organization Administrators: Read and Clear access
Exchange Servers: Read and Write access
Local Service All Access
To change the default ACL list, you have to update the CustomSD value in the registry. Update the CustomSD value to include the group or user that you want to access the Exchange Auditing Event Log. The CustomSD value is located under the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Exchange Auditing

Read these links for more info and important info regarding CustomSD in SDDL format:,v=exchg.80).aspx

Page: [1]