We help IT Professionals succeed at work.

How to log Exchange Client Activity

premillard
premillard asked
on
Here is the situation. Someone on our network is accessing another person's email using an email client (Outlook). Obviously they found out their password. How can I get log files to prove that the person's email box is being accessed by the certain computer IP of the culprit?
Exchange logging only seems to track the messages coming in and out of the Exchange server.
I have IIS logging setup for OWA access logging.
So here is what I need to log. Computer IP xx.xx.xx.xx send userID domain\victim time etc...
Now this may be in exchange logging but I may not know how to set it up correctly, please help.

Just to clarify, I'm not looking for help to prevent this from happenning I'm looking for help to gather evidence on this culprit.
Comment
Watch Question

Top Expert 2010
Commented:
In Exchange sytem Manger go to your Storage Group>Mailbox Store> Logons
Here you can see your users when they log on and what client bersion they use.

If you click on View>AddRemove columns you will get a box where you can select IP, CLient Name and mamny more options.

Now you can find yoru mole.In Exchange system Manger go to your Storage Group>Mailbox Store> Logons
Here you can see your users when they log on and what client version they use.

If you click on View>AddRemove columns you will get a box where you can select IP, CLient Name and many more options.

Now you can find your mole.
For example if my username is user1user1 and in account name you can see yourdomain\user2user2 then you know that user 2 is reading user1's emails

Hope that helps

For example if my username is user1user1 and in account name you can see yourdomain\user2user2 then you know that user 2 is readung user1's emails

Hope that helps

Author

Commented:
Thank you so much!!
This is exactly what I needed.
I could see that the mole had the other user's email open in logons but I also wanted the IP of his computer to prove that it is in fact being done on the moles computer.
Top Expert 2010

Commented:
glad it worked for you. not too sure why my answer came out duplicated and not spell checked though but glad I am glad you caught your mole:)

Author

Commented:
Now one more question if you don't mind.
Can I save the view? Each time I go back into the Logons in System Manager I have to add the columns again.
Thanks,
Top Expert 2010

Commented:
As far as I know you can't save it. I was doing the same thing last year (user using owa to read someone else’s emails) and did some googling but couldn’t find a way to save my custom made views

Author

Commented:
Well, it turns out he was just viewing the users shared calendar and that made a connection to the mailbox in the Storage Group>Mailbox Store>Logons from his computer to the other users mailbox.