I have enabled mailbox access logging in Exchange 2007. After that I stumbled upon this event (represented multiple times):
Log Name: Application
Source: MSExchangeIS Mailbox Store
Date: 25-03-2010 10:40:47
Event ID: 1029
Task Category: Access Control
Computer: <CCR Node 1 name>
<CMS_name>-SA@<DNS_domain_name> failed an operation because the user did not have the following access rights:
'Delete' 'Read Property' 'Write Property' 'Create Message' 'View Item' 'Create Subfolder' 'Write Security Descriptor' 'Write Owner' 'Read Security Descriptor' 'Contact'
The distinguished name of the owning mailbox is /O=<Exchange_org>/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=CONFIGURATION/CN=SERVERS/CN=<CMS_name>/CN=MICROSOFT SYSTEM ATTENDANT. The folder ID is in the data section of this event.
I don't know if the object <CMS_name>-SA@<DNS_domain_name> refer to a System Attendant account created by Exchange or the CMS' system (computer) account (normally this would be refered as <CMS_name>$).
I have search the AD domain for the object, but without luck. Maybe the object is hidden from normal LDAP searches (samaccountmame=<CMS_name>-SA@<DNS_domain_name>). I can't grant permissions to objects which I can't find.
I haven't noticed any issues which I could relate to these events.
Have anyone else seen this warning before?