exchange security.

Posted on 2007-10-01
Last Modified: 2013-12-04
i have a situation, mix between active directry, exchange and security.

Server windows 2003 ENT.
exchange 2003 ENT.

it had been access one of the account, and send an email, its look like by OWA, because it had been sent at 04:00 am.

the user of thats email, telling that he didnt send thats email, and he claim that some one reset his password and send the email.

is there is any way we can trace reset password, or changing password???
and how can we make sure not the user sent thats mail, and change his password after that?

Question by:al_ghamdi
    LVL 32

    Assisted Solution

    You need to be sure that the mail was sent from your server. It is all too easy to attach a fake return address with any email.

    If you haven't already, then enable message tracking:

    You may want to audit logon events:

    Author Comment

    the email had been sent from the server, because we found it in the sent item of thats account.

    for thats i ignore the fake mail option.
    LVL 32

    Assisted Solution

    I guess that proves that it was sent from your server, but to know who might have sent it you'd need to have auditing turned on, and even then it would be hard to know who exactly did it if passwords are compromised.

    Author Comment

    i was checking deep, and i belive changing the password is registered in the event view in the domain controller, and i can see how thats user password had been changed,

    if it had been changed my him self, it mean that he did it, and he is trying to play.

    if one of the administrator did it, so we can see him, then he is the one playing in the network,

    correct me if iam wrong,!!!
    LVL 32

    Accepted Solution

    I haven't played with this lately, but apparently:

    "When a user changes his own password Windows Server 2003 logs event ID 627, Change Password Attempt..."


    "When an administrator resets some other users password such as in the case of forgotten password support calls, Windows Server 2003 logs event ID 628."

    The above is from:

    Audit account management must be enabled for these events to be logged.
    LVL 32

    Expert Comment

    Thanks. Wish you success in your search :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now