Auditing calendar access

I am trying to audit all transactions that occur against an executive's calendar in Exchange 2000.  The executive’s administrative assistant claims that about once a month an appointment will "drop off" this executive’s calendar.  I have configured exchange 2000 properly taking into account all Microsoft and Symantec recommendations (including file level anti virus scanning exclusions for Exchange).  Is there any way to track all transaction that occur to one calendar and then be able to review this log when an appointment drops off?  I am looking to find out:

1) Who is connected to the calendar when the appointment drops off (either IP address, user name, or computer name)?
2) How to get these transactions pushed to some type of log file so that I can specifically show this admin assistant what happened and why.


hulmicAsked:
Who is Participating?
 
OneHumpCommented:
In thinking about this, you might want to monitor who is logged on and who can log on and throw some sort of keylogger on their workstation.  That's not exactly a technical solution, but it's easier then messing with the database engine.

OneHump
0
 
OneHumpCommented:
Someone should post a more detailed answer, but it's possible with some work.  First off, whenever an Exchange object is accessed, you'll get an event that says the object was accessed by an account that's not the primary account of the mailbox.  That's the easy part.  The hard part is parsing that event out of your event log for every potential DC used to authenticate that account.  You'll need an event log manager of some sort.

I would google some options.  You could also hook into your event logs using VBScript quite easily.  You could then sent email alerts when the calendar is accessed.  

I would think that simply checking the security on the calendar in Outlook and the mailbox object in AD would be enough.  Unless you have an Admin does bad things, no one would be able to get in there otherwise.

OneHump
0
 
hulmicAuthor Commented:
I am familiar with eventcomb that would make searching the logs at little easier.  What event ID is present when this other person logs on to an email account?  Is thi log entry on the email server or DC?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
visioneerCommented:
You'll find that in the Application Log on the Exchange Server.
0
 
OneHumpCommented:
It would be on your DC.  

Event ID: 1016
Source: MSExchangeIS Private
Type: Success Audit
Category: Logons
Windows NT User DOMAIN\username logged on to UserA mailbox, and is not the primary Windows NT account on this mailbox.

OneHump
0
 
OneHumpCommented:
----"You'll find that in the Application Log on the Exchange Server."----

Only in 5.5 visioneer; We're talking 2000.  :)

OneHump
0
 
visioneerCommented:
That shows up in the Application Log on the Exchange server.
0
 
visioneerCommented:
Well, it shows up that way on my Exchange 2000 server.  Mine must be from an alternate universe.  :-O
0
 
OneHumpCommented:
Or I could be wrong!  :)

0
 
hulmicAuthor Commented:
Ok.  This lets me know who is logged on.  It still does not give me the granularity to say exactly how the meeting appointment is being moved/deleted.  Is it the admin assistant's accidental keystroke?  How do I prove this?  Is it Exchange that is the issue?  The output I am really serching for is a log file with, say, three columns that says:  
1) This event happened and here is a description
2) This IP  or user name made the calendar items disappear.
3) All this in some type or chronological order.
This information will allow me to respond to a question like:
"Last night, an appointment dropped off "so and so's" calendar for no reason.  He just missed a meeting and it is the system's fault."  I am trying to prove it is not.  I will need logging like this to prove my case.

Thanks for the comments thus far.
0
 
OneHumpCommented:
You won't get that level of detail.  There is no way, off the shelf, to show what account did what once authenticated.

I think you would have to write code that hooks into the database and intercepts access requests to the calendar and proxies for them.  That would be quite a development effort.

OneHump
0
 
timianoCommented:
If you can take the storage tradeoff, increase your limits on deleted items on the store.  If the appointment is deleted again, just search the deleted items, where it will tell you exactly when the item was deleted.  You can then cross reference that with any event IDs around that time.  If nothing is there, you've got yourself a good 'ol user error.

Timiano
0
 
OneHumpCommented:
Very very smart idea!
0
 
OneHumpCommented:
Where are we at with this?

OneHump
0
 
hulmicAuthor Commented:
I am not really finding what I am looking for.  I am not sure that I would.  I have looked through deleted items and I really can't leverage the key logger idea.  How do I close this question?  I hate to award points for suggestions not solutions.
0
 
OneHumpCommented:
You don't necessarily award points for solutions.  You are typically awarding for assistance.  My goal is to help you, not accumulate points, but it is certainly a good thing to award others that make an effort to help you even though you didnt get what you were looking for.  You are certainly entitled to request that questions be deleted though.  You do this by posted a message in the Community Support Forum.

I will say, however, that this question should be PAQd (archived) because the clear answer to your question was provided.  This will allow others to find the thread in searches and get valuable information without having to open a new question.  The fact that what you are trying to do cannot be done does not mean the question was not answered.

Best of luck.

OneHump
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.