Avatar of hulmic
hulmic asked on

Auditing calendar access

I am trying to audit all transactions that occur against an executive's calendar in Exchange 2000.  The executive’s administrative assistant claims that about once a month an appointment will "drop off" this executive’s calendar.  I have configured exchange 2000 properly taking into account all Microsoft and Symantec recommendations (including file level anti virus scanning exclusions for Exchange).  Is there any way to track all transaction that occur to one calendar and then be able to review this log when an appointment drops off?  I am looking to find out:

1) Who is connected to the calendar when the appointment drops off (either IP address, user name, or computer name)?
2) How to get these transactions pushed to some type of log file so that I can specifically show this admin assistant what happened and why.


Exchange

Avatar of undefined
Last Comment
OneHump

8/22/2022 - Mon
OneHump

Someone should post a more detailed answer, but it's possible with some work.  First off, whenever an Exchange object is accessed, you'll get an event that says the object was accessed by an account that's not the primary account of the mailbox.  That's the easy part.  The hard part is parsing that event out of your event log for every potential DC used to authenticate that account.  You'll need an event log manager of some sort.

I would google some options.  You could also hook into your event logs using VBScript quite easily.  You could then sent email alerts when the calendar is accessed.  

I would think that simply checking the security on the calendar in Outlook and the mailbox object in AD would be enough.  Unless you have an Admin does bad things, no one would be able to get in there otherwise.

OneHump
ASKER
hulmic

I am familiar with eventcomb that would make searching the logs at little easier.  What event ID is present when this other person logs on to an email account?  Is thi log entry on the email server or DC?
visioneer

You'll find that in the Application Log on the Exchange Server.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
OneHump

It would be on your DC.  

Event ID: 1016
Source: MSExchangeIS Private
Type: Success Audit
Category: Logons
Windows NT User DOMAIN\username logged on to UserA mailbox, and is not the primary Windows NT account on this mailbox.

OneHump
OneHump

----"You'll find that in the Application Log on the Exchange Server."----

Only in 5.5 visioneer; We're talking 2000.  :)

OneHump
visioneer

That shows up in the Application Log on the Exchange server.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
visioneer

Well, it shows up that way on my Exchange 2000 server.  Mine must be from an alternate universe.  :-O
OneHump

Or I could be wrong!  :)

ASKER
hulmic

Ok.  This lets me know who is logged on.  It still does not give me the granularity to say exactly how the meeting appointment is being moved/deleted.  Is it the admin assistant's accidental keystroke?  How do I prove this?  Is it Exchange that is the issue?  The output I am really serching for is a log file with, say, three columns that says:  
1) This event happened and here is a description
2) This IP  or user name made the calendar items disappear.
3) All this in some type or chronological order.
This information will allow me to respond to a question like:
"Last night, an appointment dropped off "so and so's" calendar for no reason.  He just missed a meeting and it is the system's fault."  I am trying to prove it is not.  I will need logging like this to prove my case.

Thanks for the comments thus far.
Your help has saved me hundreds of hours of internet surfing.
fblack61
OneHump

You won't get that level of detail.  There is no way, off the shelf, to show what account did what once authenticated.

I think you would have to write code that hooks into the database and intercepts access requests to the calendar and proxies for them.  That would be quite a development effort.

OneHump
ASKER CERTIFIED SOLUTION
OneHump

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
OneHump

Very very smart idea!
OneHump

Where are we at with this?

OneHump
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
hulmic

I am not really finding what I am looking for.  I am not sure that I would.  I have looked through deleted items and I really can't leverage the key logger idea.  How do I close this question?  I hate to award points for suggestions not solutions.
OneHump

You don't necessarily award points for solutions.  You are typically awarding for assistance.  My goal is to help you, not accumulate points, but it is certainly a good thing to award others that make an effort to help you even though you didnt get what you were looking for.  You are certainly entitled to request that questions be deleted though.  You do this by posted a message in the Community Support Forum.

I will say, however, that this question should be PAQd (archived) because the clear answer to your question was provided.  This will allow others to find the thread in searches and get valuable information without having to open a new question.  The fact that what you are trying to do cannot be done does not mean the question was not answered.

Best of luck.

OneHump