I know that with Exchange 2007 SP2 we can now audit mailbox access but is there a way to audit who actually disables the mailbox?

Not that I am aware of.

Hi Adam Some Useful links about auditing http://blogs.technet.com/b/mikelag/archive/2010/06/23/audit-exchange-2007-sp2-auditing.aspx Regards Niroshan Ezra Paulsingh My Blog | http://exchange2010info.wordpress.com/

well if you really have to then you can look for two events on the mailbox server that hosted the user mailbox. 1. Application Log Event Type: Information Event Source: MSExchangeIS Mailbox Store Event Category: General Event ID: 9533 Date: 11/30/2010 Time: 2:21:27 PM User: N/A Computer: mbserver1 Description: The user account for 'user@domain.org' does not exist in the directory or is not enabled for Exchange mail. This mailbox will be removed from mailbox store 'SG2/mbserver1-sg2-mbdb1' in 30 days 2. Security Log (Notice the time and go to the same time in security log and you will find something like below) Event Type: Success Audit Event Source: Security Event Category: Privilege Use Event ID: 576 Date: 11/30/2010 Time: 2:21:27 PM User: domainname\admin-user Computer: mbserver1 Description: Special privileges assigned to new logon: User Name: admin-user Domain: domainname Logon ID: (0x1,0x36EF3D92) Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilegeMCSE | MCITP - Server 2008 | MCITP - Exchange 2007 | MCTS - Exchange 2010