[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3085
  • Last Modified:

Event ID 1029 - Is this a sign of intrusion?

Hi Experts,

I would like to know what is the meaning of event ID:1029 for MS Exchange 2003.  Apparently it logs when an unauthorized user attempts to access another user's mailbox. But is this 100% accurate?  I have a user who apparently is attempting to access executive mailboxes.  I checked his PC for mapped mailboxes but there is no trace.  Also this person is not too knowledgeable of PCs, to the point where he needs assitance logging off his PC.  How can I isolate  the origin of these events? I thought it could be caused by Public Folder access activity, but the targeted user's don't have any Public folders.

Sample Event Log:

xxxx.corp.xxxx.com 1029 MSExchangeIS Mailbox Store jasonm@xxx.com failed an operation because the user did not have the following access rights: 'Delete' 'Read Property' 'Write Property' 'Create Message' 'View Item' 'Create Subfolder' 'Write Security Descriptor' 'Write Owner' 'Read Security Descriptor' 'Contact' The distinguished name of the owning mailbox is /O=xxxx/OU=xxxxxx/CN=RECIPIENTS/CN=johnDoe. The folder ID is in the data section of this event. For more information, click http://www.microsoft.com/contentredirect.asp.  
1 Solution
Perhaps the user is unknowingly trying to 'open' a certain mailbox(s) from Outlook and may not want to admit that he has tried it. :)
Brad HeldCommented:
Does this user have a shared contacts folder to user1?
Also it points to jasonm as the person doing the access, does someone else know this persons password?

I would validate that diagnostic logging is enabled:
1. Start the Microsoft Exchange Administrator program.
2. In the console tree, double-click Servers, right-click the server object, and then click Properties.
3. Click the Diagnostic Logging tab, and then in Services, click MSExchangeIS - Private.
4. In Categories, click Logons and Access Control, and then set the logging level to Maximum.
5. Click OK to apply the settings. You do not have to restart any of the services for event messages to be logged.  
Admin1980Author Commented:
I doubt it, according to the logs the same user attempted to acces three separate mailboxes at the exact same time by the second.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

This happens when you have Diagnostics Logging for MSExchangeIS Mailbox\Access Control turned up. They are expected when logging is enabled. You can get rid of them by turning logging off for that counter". Microsoft says to ignore it.
Admin1980Author Commented:

Can you provide a link to prove what you stated?  I have the VP of IT requesting to get to the bottom of this.

Michael WorshamInfrastructure / Solutions ArchitectCommented:
Here is a step-by-step guide for...

Auditing Mailbox Access Using Exchange System Manager and Event Viewer
Admin1980Author Commented:
Thanks for the link, this answers all my questions and more.
Thanks to everyone else for assisting.
No points even for an assist, when I gave the solution? And you didn't even give me 15 minutes to respond?
Well, I guess you can't win them all no matter what you do...  

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now