We have Exchange 2003 From shared mailboxes (resource) users (set of users has send as access on the resource mailbox) are sending mails. We need to know which user / IP sent the mail using the FMSAH

Hi Shaik, I think in 2003 you will not be able to track much on shared mailbox. Auditing feature(if enabled) is there but on 2003 you can only track access to the mailbox. You can generate diag log based on Access of shared mailbox but it will generate more log files which are practically difficult to manage. this link explain about it. http://www.msexchange.org/tutorials/Importance-Auditing-Exchange-2003-Servers.html Do not forget to read Note Be careful when you specify type of logging level, as medium and especially maximum logging can put quite a performance load on your Exchange server(s). For most environments minimum logging should be sufficient, unless youre troubleshooting a specific issue. You may try to find IP based on email headers but for all email it looks difficult. San

hi, You can up the log level then see the event log. Please follow these steps: open ESM->first administrative group->servers->your exchange 03 server->right click and open its properties->choose the diagnostics logging->find MsExchangeIS->expand it and choose mailbox->choose general send as and send on behalf of, up their logging level to maximum. Then if you user A send as user B, you will see this in the event log: /o=first organization/ou=first administrative group/cn=recipients/cn=user A sent a message as /o=first organization/ou=first administrative group/cn=recipients/cn=user B. So you find the original sender is user A. hope can help you thanks,CastinLu TechNet Community Support

hi, You can up the log level then see the event log. Please follow these steps: open ESM->first administrative group->servers->your exchange 03 server->right click and open its properties->choose the diagnostics logging->find MsExchangeIS->expand it and choose mailbox->choose general send as and send on behalf of, up their logging level to maximum. Then if you user A send as user B, you will see this in the event log: /o=first organization/ou=first administrative group/cn=recipients/cn=user A sent a message as /o=first organization/ou=first administrative group/cn=recipients/cn=user B. So you find the original sender is user A. hope can help you thanks,CastinLu TechNet Community Support