Is there a way to audit who disables an Exchange 2007 SP2 mailbox?
I know that with Exchange 2007 SP2 we can now audit mailbox access but is there a way to audit who actually disables the mailbox?
November 29th, 2010 3:48pm
Not that I am aware of.
Free Windows Admin Tool Kit Click here and download it now
November 29th, 2010 4:43pm
Hi Adam
Some Useful links about auditing
http://blogs.technet.com/b/mikelag/archive/2010/06/23/audit-exchange-2007-sp2-auditing.aspx
Regards Niroshan Ezra Paulsingh My Blog | http://exchange2010info.wordpress.com/
November 30th, 2010 4:22am
well if you really have to then you can look for two events on the mailbox server that hosted the user mailbox.
1. Application Log
Event Type: Information
Event Source: MSExchangeIS Mailbox Store
Event Category: General
Event ID: 9533
Date: 11/30/2010
Time: 2:21:27 PM
User: N/A
Computer: mbserver1
Description:
The user account for 'user@domain.org' does not exist in the directory or is not enabled for Exchange mail. This mailbox will be removed from mailbox store 'SG2/mbserver1-sg2-mbdb1' in 30 days
2. Security Log (Notice the time and go to the same time in security log and you will find something like below)
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 11/30/2010
Time: 2:21:27 PM
User: domainname\admin-user
Computer: mbserver1
Description:
Special privileges assigned to new logon:
User Name: admin-user
Domain: domainname
Logon ID: (0x1,0x36EF3D92)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilegeMCSE | MCITP - Server 2008 | MCITP - Exchange 2007 | MCTS - Exchange 2010
Free Windows Admin Tool Kit Click here and download it now
November 30th, 2010 9:21am