Exchange 2003 - How to find out if someone has been access my account ?

Snow-Munki · 19 Oct 2010 at 16:52

Hi,

I have a feeling that one of the other domain admins have been going into my Exchange account.

Referring to articles like this :

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_22747857.html

It looks like there is no way to find out if this is the case as the person in question can easily just say they were checking my calendar. Is it possible to find out ??

Seems to be a huge flaw in exchange otherwise !!

Thanks,

DRZ · 19 Oct 2010 at 18:22

If you have the event logging cranked up high enough it does show you who has accessed what accounts, but not in any granular detail. Don't think you're in any position to do anything.

matthab · 19 Oct 2010 at 22:04

More of a protective measure, I would stop other users gaining access to your account with permissions. A funky little tool and guide I used at my last place:

http://telnetport25.wordpress.com/2...3-change-mailbox-folders-permissions-in-bulk/

HungryHippos · 19 Oct 2010 at 23:32

matthab said:
More of a protective measure, I would stop other users gaining access to your account with permissions. A funky little tool and guide I used at my last place:

http://telnetport25.wordpress.com/2...3-change-mailbox-folders-permissions-in-bulk/

Irrelevant, if you have Full Mailbox Access enabled in AD you will be able to get into another users mailbox without them realising it regardless of what folder level permissions you have.

Also to set calendar permissions I found using PFDavAdmin worked pretty good as you can script in a command line to set permissions on calendars.

In Exchange 2010 you can use powershell and use the Set-FolderPermission cmdlet to set permissions on the calendar, but we've had to set calendar permissions in Exchange 2007 a few times for customers and PFDavAdmin has always done the trick without the need to install/register dll's on a production exchange environment.

This isn't really what the OP asked anyway, they wanted to know how to find out if someone else is accessing the mailbox, and I would say with great difficulty.

With this knowledge, I ensure my work email is pretty much just based on work, some typical work spam etc, but I don't have anything to hide in my mailbox that would benefit anyone who came along and was able to access it.

I would say that to access your mailbox they would need to have full mailbox access over your account, which is an AD permission change. Domain Admins probably shouldn't have full mailbox access by default so chances are to get this to work they'd need to add themselves as an individual to your mailbox access control list. You could theoretically setup a scheduled task to dump the ACL's from your AD object periodically and see if it gets changed at all, especially if you think it's occuring frequently.

Snow-Munki · 20 Oct 2010 at 08:55

Hi,

not to say too much but I want to be able to audit when the said person goes into my mailbox so I have proof.

So it isn't possible ? Not bothered if it is overly complicated / additional software required,

Thanks,

edscdk · 20 Oct 2010 at 09:06

why should you care? you should NEVER EVER send anything on an email that you would not happily print out and show everyone in the company and a solicitor / court....

that said you can turn loggin on so it tells you when someone logs into an account and they are not the primary owner.. (however I dont know what bit of logging).. - our system logs email box access'd but other than primary owner... It may even be a default settings...

however a really smart admin will have key logged / guessed your password / used a back up and restore to access the email

Snow-Munki · 20 Oct 2010 at 09:40

I see what you mean but this person in question may have also been going into HR and the MD's mailbox's also ...

... we would like to catch him out on this ....

Ev0 · 20 Oct 2010 at 12:07

edscdk said:
why should you care? you should NEVER EVER send anything on an email that you would not happily print out and show everyone in the company and a solicitor / court....

Showing the company and having something used in court are slightly different.

There are plenty of things that you wouldn't want everyone in the company knowing, HR information etc.

Deathwish · 20 Oct 2010 at 12:28

Periodically dump out the last user logged on? Although this is vague as it would list even a cal lookup by that user.

HungryHippos · 20 Oct 2010 at 16:50

Some stuff about turning up the logging here and checking the events:

http://www.msexchange.org/tutorials...ess-Exchange-System-Manager-Event-Viewer.html

Maybe it will help?

s0ck · 21 Oct 2010 at 13:29

Eulogy said:
I would say that to access your mailbox they would need to have full mailbox access over your account, which is an AD permission change. Domain Admins probably shouldn't have full mailbox access by default so chances are to get this to work they'd need to add themselves as an individual to your mailbox access control list. You could theoretically setup a scheduled task to dump the ACL's from your AD object periodically and see if it gets changed at all, especially if you think it's occuring frequently.

that could work if said person is not supposed to have the rights in the first place but they may be members of the mail operators group or similar.