Link to home
Start Free TrialLog in
Avatar of Eric-arup
Eric-arupFlag for United States of America

asked on

Exchange 2003 unauthorized mailbox access

Hello

Trying to track unauthorized mailbox access in a Exchange 2003 enviroment by a wayward admin.  

Normally I would up the diagnostic logging to look for event id 1016 however if you look at someone's calendar in outlook it also logs this same event.  How do you differentiate unauthorized mailbox access from a calendar read?

thanks
e-
ASKER CERTIFIED SOLUTION
Avatar of Hilal1924
Hilal1924
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Eric-arup

ASKER

Are any of these free?  Solving the problem in the short term would have to be a free solution.  Budgets move SLOW around here.

e-
Unfortunately No. But ManageEngine will give you 30 days trial with full feature set.

http://www.manageengine.com/products/exchange-reports/index.html

This is a great Tool :)

Peace,
Hilal
This has been addresses before on EE:

See: https://www.experts-exchange.com/questions/22747857/Exchange-2003-mailbox-access-audit.html

"Because of the severity of the implications, we felt it necessary to place a call with Microsoft for validation since any documentation on this is not very clear in my opinion.  Event ID 1016, 1013 and 1009 DO NOT necessarily mean a user with Exchange Admin rights did in fact open another users mailbox.  It could simply mean a  meeting request in the calendar (I did a test and validated this).  So really, what is the point of logging these events, not to mention how misleading they are??  There is no way to audit and solidly determine if an admin is abusing his/her power.  This is a big shortcoming if you ask me."