One my personal bugbears with Exchange over the last 10 years or so has been the total lack of a useful auditing function.  Sure, you can see who accessed a mailbox, but since Outlook 2003 and the extended Free/Data the Windows Server event logs are pretty much useless since you cant tell if someone actually read the mailbox contents maliciously or just invited that user to a meeting and Outlook attempted to read the extended free/busy data from their calendar directly.

Well, Exchange 2007 SP2 introduces a huge leap forward in this respect and Mike Lagase has written a monster of a white paper all about how to perform auditing in an Exchange 2007 environment here…

http://technet.microsoft.com/en-us/library/ee331009.aspx

Posted by Neil Johnson, MCS UK, MCM Exchange 2007