snootalope
IS-IT--Management
I've got a user reporting to me that they swear up and down that someone is accessing their mailbox and reading their emails. Both users are basic domain users with zero extended permissions.
I went through everything I can think of including logging on how this accused user could possibly access this other users mailbox. There's nothing set anywhere that would grant this other user permission. No full access permissions, no send-as, no delegate.. In Outlook, I've checked the properties of the mailbox, with default is NONE, and properties of every item under the inbox, all of which are NONE. OWA is also disabled.
The only thing here is the user that's reporting the issue has two folders in their own mailbox that are shared with two other people (one of which is the accused party). So, the two people that have access to the shared folders can use Outlook 2007 to go to open another users mailbox, choose the sharing user, and open the mailbox where they can see the two shared folders along with deleted items and drafts. Now, whenever they click on drafts or deleted items, they can the "no permission..." yada yada.
I'm at a loss here on what else I can check or monitor to prove to the reporting user that the accused person can not see anything they're not supposed to.
Can anyone tell me how I might be able to do some advanced auditing on mailbox access where I can see access attempts and if indeed this accused party is infact able to access this other users mailbox somehow? I know I can enable diagnostic logging, but that fills so fast and isn't detailed enough. The mailbox auditing with SP1 includes only owner, admin, and delegate, which the accused party is none of.
Thanks for any advice....
I went through everything I can think of including logging on how this accused user could possibly access this other users mailbox. There's nothing set anywhere that would grant this other user permission. No full access permissions, no send-as, no delegate.. In Outlook, I've checked the properties of the mailbox, with default is NONE, and properties of every item under the inbox, all of which are NONE. OWA is also disabled.
The only thing here is the user that's reporting the issue has two folders in their own mailbox that are shared with two other people (one of which is the accused party). So, the two people that have access to the shared folders can use Outlook 2007 to go to open another users mailbox, choose the sharing user, and open the mailbox where they can see the two shared folders along with deleted items and drafts. Now, whenever they click on drafts or deleted items, they can the "no permission..." yada yada.
I'm at a loss here on what else I can check or monitor to prove to the reporting user that the accused person can not see anything they're not supposed to.
Can anyone tell me how I might be able to do some advanced auditing on mailbox access where I can see access attempts and if indeed this accused party is infact able to access this other users mailbox somehow? I know I can enable diagnostic logging, but that fills so fast and isn't detailed enough. The mailbox auditing with SP1 includes only owner, admin, and delegate, which the accused party is none of.
Thanks for any advice....
