• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3938
  • Last Modified:

Exchange 2003 mailbox access audit

Hi everyone. We're using Exchange 2003 (SP2) and I have an Exchange administrator whom I think is accessing other users mailboxes without authorization (in diagnostic logging, mailbox logons are set to minimum).  I have event ID's 1009, 1013, 1016 showing up, similar to below:

Event ID: 1009
Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Description: DOMAIN\User1 logged on as /o=ORG/ou=SITE/cn=Recipients/cn=User2

Event ID: 1013
Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Description: DOMAIN\User1 was validated as /o=ORG/ou=SITE/cn=Recipients/cn=User1 and logged on to /o=ORG/ou=SITE/cn=Recipients/cn=User2

Event ID: 1016
Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Description: Windows 2000 User DOMAIN\User1 logged on to User2 mailbox, and is not the primary Windows 2000 account on this mailbox

As I understand it, event ID 1013 and 1016 could simply indicate the calendar was accessed (possibly for an meeting request?), and doesn't necessarily mean that the Exchange admin in question opened the mailbox.  
Would event ID 1009 be a clear indication of the Exchange admin accessing the mailbox (as in opening the mailbox as it were his own and going through the contents)?  If not, how would I be able to validate the mailbox was in fact accessed?
0
Claude_Cardinal
Asked:
Claude_Cardinal
  • 3
  • 2
1 Solution
 
Claude_CardinalAuthor Commented:
I've read those articles, and understand that event ID 1013 and 1016 could mean that only the calendar was accessed, but not necessarily the entire mailbox.  What I am trying to determine, is if the mailbox was accessed, for example opening it as a second mailbox in Outlook (or even a primary mailbox).  I am still unclear from those articles if event ID 1009 falls into the same category as 1013 and 1016.  Is event ID 1009 enough proof to go to management and say "hey, this exchange admin is going through other users mailboxes".
I read about the tool PFDAVadmin and turning logging to the max, but is this absolutely necessary and the only way to prove unauthorized mailbox access?  (this also means I can't use my logs from the past few months to prove anything??)
Has anyone else had a similar situation and had to prove somehow that someone was accessing someone else's mailbox.  How did you do it?

Regards,
0
 
Malli BoppeCommented:
Event ID 1013 informs you that the specified user account has opened an additional mailbox. Event ID 1016 doesn't confirm that some one has opend the mail box.But definately 1013.Also 1009 confirms that the admin has opened some one else mail box.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Claude_CardinalAuthor Commented:
Because of the severity of the implications, we felt it necessary to place a call with Microsoft for validation since any documentation on this is not very clear in my opinion.
Event ID 1016, 1013 and 1009 DO NOT necessarily mean a user with Exchange Admin rights did in fact open another users mailbox.  It could simply mean a  meeting request in the calendar (I did a test and validated this).  So really, what is the point of logging these events, not to mention how misleading they are??  There is no way to audit and solidly determine if an admin is abusing his/her power.  This is a big shortcoming if you ask me.
0
 
Malli BoppeCommented:
Claude

I haven't tried this  in a real time scenario.you might right.
0
 
Computer101Commented:
PAQed with points refunded (250)

Computer101
EE Admin
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now