View Who Logged into Mailboxes

[SpideySMJ]

I've been asked to find a way to monitor who has logged into another person's mailbox and when. I know that the event logs will display some basic information on this, but it isn't completely accurate. First, I can't remember what the event ID is for those instances. Second, does anyone have a better way to keep track of this information? I would not be opposed to a third party program. Any suggestions would be appreciated.

"I reject your reality and substitute one of my own.

 

[Marcs41]

I have to ask: Why?

If someone CAN login to someone's mailbox, that either means:
1: he/she has the rights to do so.
2: he/she knows the password.

Solution:
1: take away any rights that should not be there.
2: change the passwords.


Bottom line: take away the cause instead of spending time chasing the result.

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all.
Free Tip: The F1 Key does NOT destroy your PC![/sub]

 

[SpideySMJ]

Why is a good question, unfortunately, I don't have the answer. My superiors didn't give me that information...only what they wanted me to track. From what I can gather an admin has been adding permissions in for themselves to get into mailboxes and then removing them once they are done...allegedly. This is to help catch them in the act.

"I reject your reality and substitute one of my own.

 

[Marcs41]

Well, if admins are 'suspected' the change the admins passwords.

But, if you superiors DEMAND you track and trace, make sure you get that in WRITING BEFORE you do anything like that, you would be violating privacy laws (how silly they may be..).

And, more inportant, if you can enable tracking, and the other admin can add permissions, he/she can also see that YOU set these options!

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all.
Free Tip: The F1 Key does NOT destroy your PC![/sub]

 

[SpideySMJ]

*sigh* Yes, I understand the moral implications and the privacy laws, and all that stuff. All that aside, they WANT this information. Period. I understand you are trying to help but this is stuff I've already gone over in length with them here.

"I reject your reality and substitute one of my own.

 

[conan3]

One way is the use Exchange System Manager(ESM) to see who has accessed a mailbox.

Open ESM
Administrative Groups
Servers
Your Exchange Server name
First Storage Group
Mailbox store
mailboxes
in the right panel check "Last Logged on by" coloum

If you have a backup job that runs under the administrator account say at 6pm the night before. Then the administrator will be shown as the last logged on by. If the backup job runs under backup then that would show as "Last logged on by"

So if the admin is opening email boxes the date and time would be shown. You would have to get a list of the people the admin is supposed to be spying on a keep watching those accounts.

What does your Computer Use policy say about email?

That said, the administrator could be opening the users mailbox to trouble shoot their email problems also. A user could have taken offence at the idea the their email could be accessed at all and has been screaming in the wrong ears.

Also remember most computer crime is commited by people in places of authority. The admin may be working hand in hand with corp. Security to watch someone.

Child Porn, Racial, Hate Groups, Threating Emails all come to mind.

Read of a case where the CEO was surfing child porn at work and home and security made the mistake of letting it get out. The CEO had wiped the hard disk before they got to it.