Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Trap a login by acct name

Posted on 2014-02-06
8
Medium Priority
?
188 Views
Last Modified: 2014-08-19
We have an account that is logging into an exchange server, we know the account is legitimate but no longer required but before we remove it we need to find out what resource it is accessing... looked in service, looked in registry, can't seem to find a good reference.. Any ideas to speedily trap the loin and what it is doing?
0
Comment
Question by:halkuff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
8 Comments
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39839805
You need to find out what the account/login is looking for on the exchange server? Or are you trying to determine where the requests are coming from?
0
 

Author Comment

by:halkuff
ID: 39839811
Both
0
 
LVL 15

Accepted Solution

by:
jrhelgeson earned 2000 total points
ID: 39839919
Both questions can be answered from identifying the device it is logging in from.  I'd start by looking in the security event log on the exchange server. If it is not logging in using NTLM, then you'd need to look in the exchange server log files (the IIS web server logs).

Log files will show you user authentication and limited information on what resource is being accessed/requested by that login.  You can search your logs for that user account to see what it has been accessing in the past.

If the account is not authenticating using HTTP or NTLM, it might just be getting used to authenticate and send mail using basic authentication. If that is the case, it will not show up in the IIS or security event logs.  If that is the case, a packet capture will be your best bet as that authentication will happen in clear text and you'll be able to pull it right out of a packet capture.  I'd check and see if it is being used by fax/copiers/scanners to authenticate and send mail.

Once you get an IP address of the device accessing the account, you can go to that device and see what program is accessing that account.  Check SMTP services, etc.  Then you'll know what the program is doing.  If it still isn't obvious, you can disable the mail account and look in the event log of the target computer for any failed entries related to the mail account.

That's all I can come up with at this time from off the top of my head.

Joel
0
 

Author Comment

by:halkuff
ID: 40227232
I've requested that this question be deleted for the following reason:

No longer an issue
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 40227233
An answer was provided
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question