Solved

Auditing calendar access

Posted on 2004-03-29
16
663 Views
Last Modified: 2010-03-05
I am trying to audit all transactions that occur against an executive's calendar in Exchange 2000.  The executive’s administrative assistant claims that about once a month an appointment will "drop off" this executive’s calendar.  I have configured exchange 2000 properly taking into account all Microsoft and Symantec recommendations (including file level anti virus scanning exclusions for Exchange).  Is there any way to track all transaction that occur to one calendar and then be able to review this log when an appointment drops off?  I am looking to find out:

1) Who is connected to the calendar when the appointment drops off (either IP address, user name, or computer name)?
2) How to get these transactions pushed to some type of log file so that I can specifically show this admin assistant what happened and why.


0
Comment
Question by:hulmic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 3
  • 3
  • +1
16 Comments
 
LVL 10

Expert Comment

by:OneHump
ID: 10706469
Someone should post a more detailed answer, but it's possible with some work.  First off, whenever an Exchange object is accessed, you'll get an event that says the object was accessed by an account that's not the primary account of the mailbox.  That's the easy part.  The hard part is parsing that event out of your event log for every potential DC used to authenticate that account.  You'll need an event log manager of some sort.

I would google some options.  You could also hook into your event logs using VBScript quite easily.  You could then sent email alerts when the calendar is accessed.  

I would think that simply checking the security on the calendar in Outlook and the mailbox object in AD would be enough.  Unless you have an Admin does bad things, no one would be able to get in there otherwise.

OneHump
0
 

Author Comment

by:hulmic
ID: 10706620
I am familiar with eventcomb that would make searching the logs at little easier.  What event ID is present when this other person logs on to an email account?  Is thi log entry on the email server or DC?
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10707396
You'll find that in the Application Log on the Exchange Server.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 10

Expert Comment

by:OneHump
ID: 10707434
It would be on your DC.  

Event ID: 1016
Source: MSExchangeIS Private
Type: Success Audit
Category: Logons
Windows NT User DOMAIN\username logged on to UserA mailbox, and is not the primary Windows NT account on this mailbox.

OneHump
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10707504
----"You'll find that in the Application Log on the Exchange Server."----

Only in 5.5 visioneer; We're talking 2000.  :)

OneHump
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10707520
That shows up in the Application Log on the Exchange server.
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10707535
Well, it shows up that way on my Exchange 2000 server.  Mine must be from an alternate universe.  :-O
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10707571
Or I could be wrong!  :)

0
 

Author Comment

by:hulmic
ID: 10707853
Ok.  This lets me know who is logged on.  It still does not give me the granularity to say exactly how the meeting appointment is being moved/deleted.  Is it the admin assistant's accidental keystroke?  How do I prove this?  Is it Exchange that is the issue?  The output I am really serching for is a log file with, say, three columns that says:  
1) This event happened and here is a description
2) This IP  or user name made the calendar items disappear.
3) All this in some type or chronological order.
This information will allow me to respond to a question like:
"Last night, an appointment dropped off "so and so's" calendar for no reason.  He just missed a meeting and it is the system's fault."  I am trying to prove it is not.  I will need logging like this to prove my case.

Thanks for the comments thus far.
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10707910
You won't get that level of detail.  There is no way, off the shelf, to show what account did what once authenticated.

I think you would have to write code that hooks into the database and intercepts access requests to the calendar and proxies for them.  That would be quite a development effort.

OneHump
0
 
LVL 10

Accepted Solution

by:
OneHump earned 125 total points
ID: 10707943
In thinking about this, you might want to monitor who is logged on and who can log on and throw some sort of keylogger on their workstation.  That's not exactly a technical solution, but it's easier then messing with the database engine.

OneHump
0
 
LVL 2

Assisted Solution

by:timiano
timiano earned 125 total points
ID: 10718394
If you can take the storage tradeoff, increase your limits on deleted items on the store.  If the appointment is deleted again, just search the deleted items, where it will tell you exactly when the item was deleted.  You can then cross reference that with any event IDs around that time.  If nothing is there, you've got yourself a good 'ol user error.

Timiano
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10718920
Very very smart idea!
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10815353
Where are we at with this?

OneHump
0
 

Author Comment

by:hulmic
ID: 10815474
I am not really finding what I am looking for.  I am not sure that I would.  I have looked through deleted items and I really can't leverage the key logger idea.  How do I close this question?  I hate to award points for suggestions not solutions.
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10815517
You don't necessarily award points for solutions.  You are typically awarding for assistance.  My goal is to help you, not accumulate points, but it is certainly a good thing to award others that make an effort to help you even though you didnt get what you were looking for.  You are certainly entitled to request that questions be deleted though.  You do this by posted a message in the Community Support Forum.

I will say, however, that this question should be PAQd (archived) because the clear answer to your question was provided.  This will allow others to find the thread in searches and get valuable information without having to open a new question.  The fact that what you are trying to do cannot be done does not mean the question was not answered.

Best of luck.

OneHump
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question