Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Dodgy exchange administrator 2
- Thread starter covski
- Start date
The NT Event Viewer on the Exchange server may tell you something. My Exchange 5.5 servers show event id 1016, Source: MSExchangeIS Private, Type: Success Audit, Description: "The NT user blahblah logged on to the blahblah mailbox and is not the primary Windows NT account on this mailbox." This may provide you some information if your Exchange Administrator is logged on with his own NT account when he is accessing the mailboxes.
Not necessarly, event id 1016 is a standard message if you share mailbox components, such as calendar or contact list with other users. Besides there's an easy way to aviod this message.
An event ID 1016 message is not logged in the Application event log when you access another user's mailbox or schedule if a primary Windows NT account has not been assigned to that user's mailbox.
A smart admin is hard to catch, he can temporarly assign his own account as a primary user account for the mailbox, read the emails and than reverse the change.
He can also use LC4 to crack the passwords and than open mailboxes via OWA.
You can also refer to Microsoft Knowledge Base Article - 182900 - Windows NT Account Is Able To Access All Mailboxes
Good luck!
An event ID 1016 message is not logged in the Application event log when you access another user's mailbox or schedule if a primary Windows NT account has not been assigned to that user's mailbox.
A smart admin is hard to catch, he can temporarly assign his own account as a primary user account for the mailbox, read the emails and than reverse the change.
He can also use LC4 to crack the passwords and than open mailboxes via OWA.
You can also refer to Microsoft Knowledge Base Article - 182900 - Windows NT Account Is Able To Access All Mailboxes
Good luck!
-
2
- #6
Looking for event ID 1016 is a good start. If the exchange service account is shown as opening mailboxes when you know no other exchange administrators have been using the account, you have good evidence. If this is the case, change the password on the account and tell only the administrators you trust. When you see a failed login for that account when the suspected admin had no need to use the account, your evidence grows. (don't forget that the service account password must be changed through the Exchange Admin program - select 'Configuration' for your site, and open the properties window, then select the service account password tab). If he asks about the password not working, feign forgetfullness and give him the new password and continue monitoring for imporper mailbox access. If you see the activity you are expecting, document everything so you can have the individual terminated! Actions such as you suspect are not only an invasion of privacy, they betray the trust users place in network administrators.
Bob
Bob
- Status
Similar threads
- Locked
- Helpful tip
- Locked
- Question
