I think one of our exchange administrators is abusing his power and reading users inboxs. Is there a log somewhere where I can identify what he's been up to?
The NT Event Viewer on the Exchange server may tell you something. My Exchange 5.5 servers show event id 1016, Source: MSExchangeIS Private, Type: Success Audit, Description: "The NT user blahblah logged on to the blahblah mailbox and is not the primary Windows NT account on this mailbox." This may provide you some information if your Exchange Administrator is logged on with his own NT account when he is accessing the mailboxes.
Not necessarly, event id 1016 is a standard message if you share mailbox components, such as calendar or contact list with other users. Besides there's an easy way to aviod this message.
An event ID 1016 message is not logged in the Application event log when you access another user's mailbox or schedule if a primary Windows NT account has not been assigned to that user's mailbox.
A smart admin is hard to catch, he can temporarly assign his own account as a primary user account for the mailbox, read the emails and than reverse the change.
He can also use LC4 to crack the passwords and than open mailboxes via OWA.
You can also refer to Microsoft Knowledge Base Article - 182900 - Windows NT Account Is Able To Access All Mailboxes
Or he can log in as the Exchange service account. I have had to do that on 2 occasions when upper management wanted to see someones sent mail - something to do with death threats.
Looking for event ID 1016 is a good start. If the exchange service account is shown as opening mailboxes when you know no other exchange administrators have been using the account, you have good evidence. If this is the case, change the password on the account and tell only the administrators you trust. When you see a failed login for that account when the suspected admin had no need to use the account, your evidence grows. (don't forget that the service account password must be changed through the Exchange Admin program - select 'Configuration' for your site, and open the properties window, then select the service account password tab). If he asks about the password not working, feign forgetfullness and give him the new password and continue monitoring for imporper mailbox access. If you see the activity you are expecting, document everything so you can have the individual terminated! Actions such as you suspect are not only an invasion of privacy, they betray the trust users place in network administrators.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.