I am trying to audit Mailbox access so foolowed the various details on the web. I have recently install Exchange SP2 on our Exchange 2007 W2K3 sever. I have changed to MSExchangeIs\Private 9000 logging level to Low and cans see lots of 1016 events appearing. However I get hundreds of hits for the NT AUTHORITY\NETWORKSERVICE account which I'm assuming is the Transport service service account used. I tried to remove these from the Audit logs with:- get-mailboxdatabase | add-ADPermission -User "NT AUTHORITY\NETWORK SERVICE" -ExtendedRights ms-exch-store-bypass-access-auditing -Inheritancetype all and it all seems to be accepted fine, however the events still appear. Any ideas how to block this account from appearing?

Hi JasonJH, Per my known, event 1016 indicates an attempt to access a mailbox, but does not indicate whether a user was successful in accessing folders within the mailbox. Like the below KB refered: http://support.microsoft.com/kb/968310 In summary, generation of a 1016 indicates that account A has logged on to account B's mailbox. It does not mean that account A has been able to access any of the mailbox contents of account B. Per your description, the account NT AUTHORITY\NETWORKSERVICE seems an IIS service account or a add in application related. In my opinoin, so it is not a good method to add the permission for it, you could ignore it. Regards! gavin

Hi Gavin, Thanks for responding, the point is that I don't want to ignore the NT AUTHORITY\NETWORKSERVICE entries, I don't want them to appear in the auditing as they are so many of them it makes finding the entries I want to see i.e non Networkservice entries. Understand all you have said but it all i need is 1016's that are not from NT AUTHORITY\NETWORKSERVICE hence me trying to exclude them from auditing as per my initial description.