Eric-arup
asked on
Exchange 2003 unauthorized mailbox access
Hello
Trying to track unauthorized mailbox access in a Exchange 2003 enviroment by a wayward admin.
Normally I would up the diagnostic logging to look for event id 1016 however if you look at someone's calendar in outlook it also logs this same event. How do you differentiate unauthorized mailbox access from a calendar read?
thanks
e-
Trying to track unauthorized mailbox access in a Exchange 2003 enviroment by a wayward admin.
Normally I would up the diagnostic logging to look for event id 1016 however if you look at someone's calendar in outlook it also logs this same event. How do you differentiate unauthorized mailbox access from a calendar read?
thanks
e-
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Unfortunately No. But ManageEngine will give you 30 days trial with full feature set.
http://www.manageengine.com/products/exchange-reports/index.html
This is a great Tool :)
Peace,
Hilal
http://www.manageengine.com/products/exchange-reports/index.html
This is a great Tool :)
Peace,
Hilal
This is also a very good tool:
http://www.manageengine.com/products/active-directory-audit/index.html
Peace,
Hilal
http://www.manageengine.com/products/active-directory-audit/index.html
Peace,
Hilal
This has been addresses before on EE:
See: https://www.experts-exchange.com/questions/22747857/Exchange-2003-mailbox-access-audit.html
"Because of the severity of the implications, we felt it necessary to place a call with Microsoft for validation since any documentation on this is not very clear in my opinion. Event ID 1016, 1013 and 1009 DO NOT necessarily mean a user with Exchange Admin rights did in fact open another users mailbox. It could simply mean a meeting request in the calendar (I did a test and validated this). So really, what is the point of logging these events, not to mention how misleading they are?? There is no way to audit and solidly determine if an admin is abusing his/her power. This is a big shortcoming if you ask me."
See: https://www.experts-exchange.com/questions/22747857/Exchange-2003-mailbox-access-audit.html
"Because of the severity of the implications, we felt it necessary to place a call with Microsoft for validation since any documentation on this is not very clear in my opinion. Event ID 1016, 1013 and 1009 DO NOT necessarily mean a user with Exchange Admin rights did in fact open another users mailbox. It could simply mean a meeting request in the calendar (I did a test and validated this). So really, what is the point of logging these events, not to mention how misleading they are?? There is no way to audit and solidly determine if an admin is abusing his/her power. This is a big shortcoming if you ask me."
ASKER
e-