Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Exch2K: Under what circumstance?

Status
Not open for further replies.

dm318

MIS
Aug 4, 2002
35
SG
Hi All. Quick question. Would appreciate if any seasoned admin can help...

I administer one of my company's Exch2K box and occasionally, under Exchange System Manager, I'll notice some of the Information Store's Mailboxes' "Last Logged On By" field being populated by another admin's account (even though the person is not responsible for that container). So my question is... under what circumstances would one's account name appear under the "Last Logged On By" field?

Thanks!!
dm318
 
Whenever that Admin accessed the mailbox or 'touched' that mailbox's properties.

Marc
If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!

How Do I Get Great Answers To my Tek-Tips Questions? See faq222-2244
 
Hi Marcs41, thanks for the quick reply. That was what I thought as well... but the admin denies "touching" anything... that's why I'm curious to find out if any other automated process or background tasks the particular admin is responsible for may have "touched" the accounts automatically.

 
How about your backup system


If you backup your mailboxes a admin touches them all



bob

"ZOINKS !!!!!"

Shaggy

 
Hi bob, nope. That particular admin does not handle backup on what I'm handling. In fact, our areas of admin responsibility are mutually exclusive. That's what's causing me to wonder....
 
I would be wondering to and recording his logons just to CYA incase they do something drastic



bob

"ZOINKS !!!!!"

Shaggy

 
Thanks bob. Any recommendation as to what I should do? I'm not too deep into Exchange...
 
Btw, the exchange server's event viewer registered the particular admin's access event ID as 576. Any idea what that means? A check at MS says only "Special privileges assigned to new logon".
 
Check ou the following

Microsoft Knowledge Base Article - 822774

If its not you then post the whole event log also I do not believe event 576 has anything to do with the other admin accessing the system mailbox

bob

"ZOINKS !!!!!"

Shaggy

 
Hi bob, this is what the event log shows.

Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x3808140)
Assigned: SeChangeNotifyPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege

Hope its nothing critical at all... Just not wanting anything bad happen while things are under my watch.

Thanks!!!
 
In addition to the poste MS KB, check this one:

Some posts in the microsoft.public.win2000.security newsgroup state that the user and domain (1st and 2nd) entries in a 576 audit event may be left blank if the associated logon session has gone away before the audit event is generated (because audit event generation is asynchronous), but that you can always use the logon-id field (3rd entry) to find the user and domain from an earlier logon audit.


Marc
If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!

How Do I Get Great Answers To my Tek-Tips Questions? See faq222-2244
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top