hulmic
asked on
Auditing calendar access
I am trying to audit all transactions that occur against an executive's calendar in Exchange 2000. The executive’s administrative assistant claims that about once a month an appointment will "drop off" this executive’s calendar. I have configured exchange 2000 properly taking into account all Microsoft and Symantec recommendations (including file level anti virus scanning exclusions for Exchange). Is there any way to track all transaction that occur to one calendar and then be able to review this log when an appointment drops off? I am looking to find out:
1) Who is connected to the calendar when the appointment drops off (either IP address, user name, or computer name)?
2) How to get these transactions pushed to some type of log file so that I can specifically show this admin assistant what happened and why.
1) Who is connected to the calendar when the appointment drops off (either IP address, user name, or computer name)?
2) How to get these transactions pushed to some type of log file so that I can specifically show this admin assistant what happened and why.
Last Comment
ASKER
I am familiar with eventcomb that would make searching the logs at little easier. What event ID is present when this other person logs on to an email account? Is thi log entry on the email server or DC?
You'll find that in the Application Log on the Exchange Server.
It would be on your DC.
Event ID: 1016
Source: MSExchangeIS Private
Type: Success Audit
Category: Logons
Windows NT User DOMAIN\username logged on to UserA mailbox, and is not the primary Windows NT account on this mailbox.
OneHump
Event ID: 1016
Source: MSExchangeIS Private
Type: Success Audit
Category: Logons
Windows NT User DOMAIN\username logged on to UserA mailbox, and is not the primary Windows NT account on this mailbox.
OneHump
----"You'll find that in the Application Log on the Exchange Server."----
Only in 5.5 visioneer; We're talking 2000. :)
OneHump
Only in 5.5 visioneer; We're talking 2000. :)
OneHump
That shows up in the Application Log on the Exchange server.
Well, it shows up that way on my Exchange 2000 server. Mine must be from an alternate universe. :-O
Or I could be wrong! :)
ASKER
Ok. This lets me know who is logged on. It still does not give me the granularity to say exactly how the meeting appointment is being moved/deleted. Is it the admin assistant's accidental keystroke? How do I prove this? Is it Exchange that is the issue? The output I am really serching for is a log file with, say, three columns that says:
1) This event happened and here is a description
2) This IP or user name made the calendar items disappear.
3) All this in some type or chronological order.
This information will allow me to respond to a question like:
"Last night, an appointment dropped off "so and so's" calendar for no reason. He just missed a meeting and it is the system's fault." I am trying to prove it is not. I will need logging like this to prove my case.
Thanks for the comments thus far.
1) This event happened and here is a description
2) This IP or user name made the calendar items disappear.
3) All this in some type or chronological order.
This information will allow me to respond to a question like:
"Last night, an appointment dropped off "so and so's" calendar for no reason. He just missed a meeting and it is the system's fault." I am trying to prove it is not. I will need logging like this to prove my case.
Thanks for the comments thus far.
You won't get that level of detail. There is no way, off the shelf, to show what account did what once authenticated.
I think you would have to write code that hooks into the database and intercepts access requests to the calendar and proxies for them. That would be quite a development effort.
OneHump
I think you would have to write code that hooks into the database and intercepts access requests to the calendar and proxies for them. That would be quite a development effort.
OneHump
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Very very smart idea!
Where are we at with this?
OneHump
OneHump
ASKER
I am not really finding what I am looking for. I am not sure that I would. I have looked through deleted items and I really can't leverage the key logger idea. How do I close this question? I hate to award points for suggestions not solutions.
You don't necessarily award points for solutions. You are typically awarding for assistance. My goal is to help you, not accumulate points, but it is certainly a good thing to award others that make an effort to help you even though you didnt get what you were looking for. You are certainly entitled to request that questions be deleted though. You do this by posted a message in the Community Support Forum.
I will say, however, that this question should be PAQd (archived) because the clear answer to your question was provided. This will allow others to find the thread in searches and get valuable information without having to open a new question. The fact that what you are trying to do cannot be done does not mean the question was not answered.
Best of luck.
OneHump
I will say, however, that this question should be PAQd (archived) because the clear answer to your question was provided. This will allow others to find the thread in searches and get valuable information without having to open a new question. The fact that what you are trying to do cannot be done does not mean the question was not answered.
Best of luck.
OneHump
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
I would google some options. You could also hook into your event logs using VBScript quite easily. You could then sent email alerts when the calendar is accessed.
I would think that simply checking the security on the calendar in Outlook and the mailbox object in AD would be enough. Unless you have an Admin does bad things, no one would be able to get in there otherwise.
OneHump