exchange security.

Hi,
i have a situation, mix between active directry, exchange and security.

Server windows 2003 ENT.
exchange 2003 ENT.

it had been access one of the account, and send an email, its look like by OWA, because it had been sent at 04:00 am.

the user of thats email, telling that he didnt send thats email, and he claim that some one reset his password and send the email.

is there is any way we can trace reset password, or changing password???
and how can we make sure not the user sent thats mail, and change his password after that?

al_ghamdiAsked:
Who is Participating?
 
r-kCommented:
I haven't played with this lately, but apparently:

"When a user changes his own password Windows Server 2003 logs event ID 627, Change Password Attempt..."

and

"When an administrator resets some other users password such as in the case of forgotten password support calls, Windows Server 2003 logs event ID 628."

The above is from: http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html

Audit account management must be enabled for these events to be logged.
0
 
r-kCommented:
You need to be sure that the mail was sent from your server. It is all too easy to attach a fake return address with any email.

If you haven't already, then enable message tracking:

 http://www.msexchange.org/tutorials/The_Exchange_Message_Tracking_Center_or_How_to_Save_Your_A_in_a_Pinch.html

You may want to audit logon events:

 http://technet2.microsoft.com/windowsserver/en/library/e104c96f-e243-41c5-aaea-d046555a079d1033.mspx?mfr=true
 http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html
0
 
al_ghamdiAuthor Commented:
Hello
the email had been sent from the server, because we found it in the sent item of thats account.

for thats i ignore the fake mail option.
:)
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
r-kCommented:
I guess that proves that it was sent from your server, but to know who might have sent it you'd need to have auditing turned on, and even then it would be hard to know who exactly did it if passwords are compromised.
0
 
al_ghamdiAuthor Commented:
i was checking deep, and i belive changing the password is registered in the event view in the domain controller, and i can see how thats user password had been changed,

if it had been changed my him self, it mean that he did it, and he is trying to play.

if one of the administrator did it, so we can see him, then he is the one playing in the network,

:)
correct me if iam wrong,!!!
0
 
r-kCommented:
Thanks. Wish you success in your search :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.