• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1235
  • Last Modified:

Audit Admin Usage on Exchange 2003

I suspect that one of my administrators is abusing their power and viewing other's email on the exchange server.  Is there a way to trace or backlog a particular account if I am pretty sure that this person has been logged in?  Also, is there a way to monitor this going forward?
0
securitythreat
Asked:
securitythreat
  • 3
  • 2
  • 2
  • +1
3 Solutions
 
KCTSCommented:
If auditing is enabled then this will be recorded in the event log. If auditing is not enabled then there is no way to go back.

To enable auditing you first need to enable auding in the local security settings. There a a good introductory articel on this at http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html
0
 
redseatechnologiesCommented:
KCTS, how do you expect to get anything useful with AD Auditing when we are CLEARLY talking about Exchange access?

securitythreat, this can be done like so, but not retrospectively;

Auditing Mailbox Access Using Exchange System Manager and Event Viewer
http://www.msexchange.org/tutorials/Auditing-Mailbox-Access-Exchange-System-Manager-Event-Viewer.html

-red
0
 
KCTSCommented:
Its been a log day...
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
jeffreydnCommented:
Open up your event log (eventvwr.exe), look at the Application log... You are looking for an event ID 1016. You can either sort by event id, or create a filter with View -> Filter...
0
 
redseatechnologiesCommented:
Those events aren't going to be there unless you enable logging, as I already pointed out.
0
 
jeffreydnCommented:
(sorry, I got sidetracked between writing my post and posting it, and hadn't seen your response yet, red)
0
 
securitythreatAuthor Commented:
1016 is a perflog

Event Type:      Warning
Event Source:      Perflib
Event Category:      None
Event ID:      1016
Date:            9/5/2007
Time:            3:47:18 PM
User:            N/A
Computer:      Exchange
Description:
The data buffer created for the "MSExchangeIS" service in the "D:\Program Files\Exchsrvr\bin\mdbperf.dll" library is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: b0 07 b9 01 bc 2b 00 00   °.¹.¼+..
0
 
jeffreydnCommented:
Then you may also want to filter by Source, MSExchangeIS Mailbox. If this is not appearing in your event log, make sure things are set as described in red's post... specifically under "Logging Whats Going On".

On my server, I must have done this without thinking, as I don't remember specifically enabling this type of logging.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now