Exchange 2003 mailbox access auditing

arwesarwes Posts: 633Member
Heh, well I've got an interesting thing going on at work. One of the employees pulled me aside and said that another employee (non-IT role) has been bragging about her ability to get into other people's mail boxes. I did notice her name in Exchange System Manager awhile back in the 'Last logged on by' column by some ex-employees, but I gave her the benefit of the doubt (maybe she was looking at their calendar, which would do the same).

Since I've heard this today, I've turned on maximum logging for mailboxes and set the logs to never overwrite. I'll be keeping an eye on it daily for awhile to see if I see anything out of the ordinary. I'm using this tutorial to help out with everything. I never knew about the PFDAVAdmin tool, it's pretty neat! I'll be using that to prove that access was made to something other than the other employee's calendar.

Auditing Mailbox Access Using Exchange System Manager and Event Viewer

Is this the method you guys use for auditing mailbox naughtiness? I'm still trying to figure out how she's doing it. I use webmail to set other employee's out of office messages, but I'm an administrator. I set up a test account using the same permissions as the employee under investigation, and I was unable to access other employees using webmail. Another method I tested was logging into the test account's webmail, but using an administrator's password to get into someone else's webmail account. When doing that, it shows in 'Last logged on by' the administrator account, not the regular employee's account.
[size=-2]Started WGU - BS IT:NDM on 1/1/13, finished 12/31/14
Working on: Waiting on the mailman to bring me a diploma
What's left: Graduation![/size]


  • sidsanderssidsanders Posts: 217Member
    i think thats a decent way to check.

    we had a person who simply had the credentials of their boss.they used owa to check things so i was able to use the iis logs to show the two accounts from one remote ip (home cable). there is a mapi tool which is more real time as well (exmon) if you suspect the person is doing it then, it only monitors mapi traffic though, no pop3/impa4/owa.
Sign In or Register to comment.