Solved

Checking what exchange mailbox have been accessed by an account?

Posted on 2012-03-27
4
585 Views
Last Modified: 2012-08-14
Hey All,

I am the lone system admin at my company looking after all the desktops/servers/network etc.  A few weeks ago I took some vacation so my boss asked me to create a temp admin account for one of the more technical users here so if they needed to logon while I was away to reset passwords etc they could.

No worries there, but when I came back I noticed that person had decided to email the main password file which they were given access too, around to some of the developers as they wanted to make some changes!!!  This pee'ed me off, but as I get zero backup when I tackle these issues I let it slide, but today I found something which has worried me.

I added a new mail account into Exchange and when I was looking at the permissions I noticed this temporary admin account had inherited Full Access rights?!?!  I did some digging and yep this temp account I created has been given Full Access rights at the top level, so they can open up any mailbox in my company!  I had disabled the account when I came back in so nothing has been accessed since, but someone has given this account access to everything and I want to find out who and what was accessed.

I have Exchange 2003 but don't know how I would go about finding what this account would have access during the period I was away, specifically what mailboxes have been opened up with it!  Any help on this please?

Thanks,

Andy
0
Comment
Question by:manic_andy
  • 2
  • 2
4 Comments
 
LVL 47

Accepted Solution

by:
apache09 earned 500 total points
ID: 37774688
First thing you need to do is disable the account, if you havent already

Next thing you can do is, log onto the Exchange Server
OPen the Exchange System Manager

Under the domain expand
Administrative Groups
Domain
Servers
Exchange Server Name
First Storage Group
Mailboxe Store
Click ON Mailnboxes

On the right you shoudl get a view of the mailboxes
You should see a column of Last logged on by

If the admin account was used to logon to any of the mailboxes recently, it will be listed here.

Now the tricky bit is.....

If the admin account was used to access an mailbox.
If a user, went to check somones calendar, this last logged on by will be overwritten.

If the admin account was simply used to check a calendar (which is not necissarily malicious) it would be listed here.

If various staff members used the admin account to access mailboxes
you would not see their account info, you would simply see the admin account you created.
0
 

Author Comment

by:manic_andy
ID: 37778706
Thanks.  Yep i disabled the account the day I came back to work anyway.

I looked at the Mailbox to see the last logged on account but as its been a few weeks since I disabled the account nothing shows up.

I have found that they added the permissions in at the store level, giving that temp account allow on every permissions level for the entire mailbox store.  I have found the TS session which logged onto the exchange server during the period I was away, there was only the one session so I know which user has logged onto the Exchange server where the change was made so that narrows it down.  Now I just want to find out if they have been opening up mailboxes on the sly as there is no good reason for them to be adding that temp account in like that.

Thx.
0
 
LVL 47

Assisted Solution

by:apache09
apache09 earned 500 total points
ID: 37778730
If you dont see any info in last logged on by, the info is gone

You only chance would be to re-enable the account
Open an outlook session (Hopefully they were using outlook 2003/2007)
Then go to file Open

You should have some options to open various itmes
but you would also see a cache of last 10 er so Inbox, Calendar, Tasks ect that were opened using the account

Other than that, theres really no other way.
0
 

Author Closing Comment

by:manic_andy
ID: 37778795
Thanks.  Yep thats what I feared, its just been too long since the account has been disabled to check.

Oh well.  I opened up Outlook on a VM signed in as this user but couldn't see anything in the recent items list, so they may have opened them up via the Account Settings as they know how to do this as they have some shared mailboxes they access like this.

Oh well, I'll keep this one under my hat for now and will just mention it to my boss that I found out this has happened, can't prove whats been accessed but this person logged on at x time and permissions have been set to access all mailboxes, so just letting you know.

Thanks guys, appreciate your help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now