Event ID 1029 - Is this a sign of intrusion?

Hi Experts,

I would like to know what is the meaning of event ID:1029 for MS Exchange 2003.  Apparently it logs when an unauthorized user attempts to access another user's mailbox. But is this 100% accurate?  I have a user who apparently is attempting to access executive mailboxes.  I checked his PC for mapped mailboxes but there is no trace.  Also this person is not too knowledgeable of PCs, to the point where he needs assitance logging off his PC.  How can I isolate  the origin of these events? I thought it could be caused by Public Folder access activity, but the targeted user's don't have any Public folders.

Sample Event Log:

xxxx.corp.xxxx.com 1029 MSExchangeIS Mailbox Store jasonm@xxx.com failed an operation because the user did not have the following access rights: 'Delete' 'Read Property' 'Write Property' 'Create Message' 'View Item' 'Create Subfolder' 'Write Security Descriptor' 'Write Owner' 'Read Security Descriptor' 'Contact' The distinguished name of the owning mailbox is /O=xxxx/OU=xxxxxx/CN=RECIPIENTS/CN=johnDoe. The folder ID is in the data section of this event. For more information, click http://www.microsoft.com/contentredirect.asp.  
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Perhaps the user is unknowingly trying to 'open' a certain mailbox(s) from Outlook and may not want to admit that he has tried it. :)
Brad HeldCommented:
Does this user have a shared contacts folder to user1?
Also it points to jasonm as the person doing the access, does someone else know this persons password?

I would validate that diagnostic logging is enabled:
1. Start the Microsoft Exchange Administrator program.
2. In the console tree, double-click Servers, right-click the server object, and then click Properties.
3. Click the Diagnostic Logging tab, and then in Services, click MSExchangeIS - Private.
4. In Categories, click Logons and Access Control, and then set the logging level to Maximum.
5. Click OK to apply the settings. You do not have to restart any of the services for event messages to be logged.  
Admin1980Author Commented:
I doubt it, according to the logs the same user attempted to acces three separate mailboxes at the exact same time by the second.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

This happens when you have Diagnostics Logging for MSExchangeIS Mailbox\Access Control turned up. They are expected when logging is enabled. You can get rid of them by turning logging off for that counter". Microsoft says to ignore it.
Admin1980Author Commented:

Can you provide a link to prove what you stated?  I have the VP of IT requesting to get to the bottom of this.

Michael WorshamStaff Infrastructure ArchitectCommented:
Here is a step-by-step guide for...

Auditing Mailbox Access Using Exchange System Manager and Event Viewer

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Admin1980Author Commented:
Thanks for the link, this answers all my questions and more.
Thanks to everyone else for assisting.
No points even for an assist, when I gave the solution? And you didn't even give me 15 minutes to respond?
Well, I guess you can't win them all no matter what you do...  
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.