Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Exchanged Logon Audits

Status
Not open for further replies.
Basnbuk

Basnbuk

MIS
Jul 31, 2002
11
0
0
US
We are currently experiencing a certain employee logging into others mailboxes (according to Logons at Server-> Private Information Store-> Logons). Also, event 1016 is being written to the Application event log. I have seen that this can occur when checking someones availability for meetings and actually adding another user's mailbox to Outlook. The issue is that if it is a case of the latter, that is a violation of company policy. Is there a way to determine which case it could be? Are there any other circumstances that would cause this?

Thanks,
 
Sort by date Sort by votes
You can't differentiate what type of access that event is recording. But why does this employee have rights on any mailbox other than their own? Have you enabled the wrong permissions on your directory?
 
Upvote 0 Downvote
He does not have any rights what-so-ever to any mailbox other than his own. The mailboxes that we are looking at, only the NT user for which the account was setup and the Domain Admin accout has rights. Therefore we know that he is not able to view messages coming into the mailbox, and we (IT) are just trying to correctly document his attempts. But, we do not want to falsely accuse.

Thanks,
 
Upvote 0 Downvote
This may not apply but I have seen this happen in the following circumstances:
UserA has computer then moves to another computer
UserB takes over USERA's old computer and we (IT) change the outlook profile by just changing the mailbox name. After that it will start saying that userB is opening userA's stuff in the log. I think it is because we use the same outlook address book instead of creating a whole new profile.

Storm
 
Upvote 0 Downvote
Folks,

I would like to know if there is another event id that can help us to make a hig level audit in Exhange Server 5.5.
 
Upvote 0 Downvote
Nope. You could check the Logon page of the Private Information Store, it contains a list of the clients connected to mailboxes, or the Mailbox Resources page, which shows the last NT id to connect to a mailbox. Both these windows are save-able with the File, Save Windows Contents option.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

disturbedone
  • Locked
  • Question
Customisation of logon.aspx and disclaimer.inc
Replies
1
Views
28
disturbedone
disturbedone
dkel22
  • Locked
  • Question
Lync Powershell - Logon Failed
Replies
1
Views
20
58sniper
58sniper
juniper911
  • Locked
  • Question
Logon failures.
Replies
0
Views
9
juniper911
juniper911
Hfnet
  • Locked
  • Question
resources plus physical logons
Replies
6
Views
34
Hfnet
Hfnet
Daveyd123
  • Locked
  • Question
OWA asking for credentials when opening email after logon 2
Replies
11
Views
42
Daveyd123
Daveyd123

Part and Inventory Search

Sponsor

Back
Top