Hello. I suspect that my SysAdmin is abusing his authority and reading the emails of senior management. Is there a way that I can verify my suspicions without being detected by the SysAdmin? It is unfortunate but necessary that I investigate this matter. Regards, John

If he is clever, he will see that you have enabled the logging necessary to do this, but I suspect if he is dumb enough (and bored enough) to be going through your executive's e-mail then he is probably not the sharpest tool in the shed. You need to enable Logons diagnostics logging for the MSExchangeIS Mailbox category (on the properties of the server). Set it to Minimum. Then, you need to look for events that indicate that UserX is reading UserY's mail and is not the primary account on that mailbox. The Source is MSExchangeIS Mailbox, the Category is Logons, and the Event ID is 1016. The event looks something like this: Event Type:Success AuditEvent Source:MSExchangeIS Mailbox StoreEvent Category:Logons Event ID:1016Date:8/1/2007Time:12:20:02 PMUser:N/AComputer:SERVER01Description:Windows 2000 User Domain\Jim logged on to snuffy@domain.com mailbox, and is not the primary Windows 2000 account on this mailbox. There are other reasons why you might see this, though. For example, an Exec gives his/her assistant permissions to open their calendar or Inbox. Or, a mailbox-by-mailbox backup (aka brick backup) can generate these. If you do see your admin opening these mailboxes, though, he certainly has some explaining to do. One place that I know that this happened they actually decided to frame the guy. The put information in a couple of the mailboxes that he was reading that they knew he would tell someone else about. When he mentioned it to someone else, they fired him on the spot. Be ready to change all of your admin accounts' passwords and escort him out of the building, though.

I have the same situation but just with Calendars. Still not ethical. I want to be 110% correct (actually I hope I am wrong). What I am trying to prove\disprove is if a admin used is administrative access privledges to view calendars without the knowledge or consent of the owners. I have checked delegate assignments and he has not been granted rights to these calendars. I dont have the actual event log entry but I have the exported CSV version listed below. We are running Exchange 2007 SP3. I have changed user names and tried to sanitize to protect the innocent. The admin claims he is innocent and is not abusing his admin privedges. Tried to track down what the event 10100 & 10102 means but cannot get any detail. He also is questioning the logs themselves which were done by our internal compliance team. I really dont want to escalate this becuase if it does it can result in termination. We just want to warn him. Can you advise me. 1/19/2011 8:25:30 PM MSExchangeIS Auditing Information Mailbox Acces s Auditing 10100 N/A SERVERXXXX The folder /Calendar in Mailbox ''User Name'' was opened by user BFLHQ\adminID 1/19/2011 8:25:30 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B9131E@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:30 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <73284C20E0FFA04CB101A78D070D595115573271D2@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91299@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B9129A@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B9129B@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91368@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91375@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91376@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B91379@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID 1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing 10102 N/A SERVERXXXX The message <61BBD591B42DB44584D7C5BD9CF918F815D1B9137A@SERVERXXX.hq.company.com> in Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID

Judging by those timestamps, if he's perusing their calendars he's got their mailboxes added to his Outlook profile. Either that or he's running a script that's opening them (which may mean he's not actually reading anything out of them) Nobody can manually open that many mailboxes that fast.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

On Sat, 22 Jan 2011 21:05:57 +0000, mjolinor wrote: > > >Judging by those timestamps, if he's perusing their calendars he's got their mailboxes added to his Outlook profile. Either that or he's running a script that's opening them (which may mean he's not actually reading anything out of them) Nobody can manually open that many mailboxes that fast. Which may mean that there's some brick-level backup, AV software, or other software that examines mailboxes that's running with his credentials. Pretty dumb move, but it happens. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Pretty dumb move, but it happens. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP Agreed. I think it's more likely a misuse of credentials than an abuse of authority.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

What would stop you from simply looking at the permissions on the mailboxes in question? I thought that by default, only the user in question (SELF) has access to the MBX. So why not just look in the GUI or run the Get-Permissions cmdlet and see who else has been added? Anything other than the fact that the admin could change permissions back to what they were once he is done reading?

On Sun, 23 Jan 2011 00:13:33 +0000, Le Pivert wrote: > > >What would stop you from simply looking at the permissions on the mailboxes in question? > >I thought that by default, only the user in question (SELF) has access to the MBX. > >So why not just look in the GUI or run the Get-Permissions cmdlet and see who else has been added? There can be all manner of inherited permissions that aren't "mailbox" permissions. Things such as "Receive As", for example, that are inherited from the AD object. Or he could be a member of a group with permission to do "stuff". >Anything other than the fact that the admin could change permissions back to what they were once he is done reading? If he wants to exonerate himself, tell him to change his password to something not easiy guessable that's nice and secure. If he has to change the password on any services . . . --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

If he has to change the password on any services . . . --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP or scheduled tasks.......[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

Hello, Also, don't forget he may also have a user's mail being copied to himself or to another mailbox. Sound like the BOFH is back. Miguel Miguel Fra / Falcon IT Services Computer & Network Support, Miami, FL Visit our Knowledgebase and Support Sharepoint Site

Hello, Also, don't forget he may also have a user's mail being copied to himself or to another mailbox. Sound like the BOFH is back. Miguel Miguel Fra / Falcon IT Services Computer & Network Support, Miami, FL Visit our Knowledgebase and Support Sharepoint Site If he's doing that, it would be easy to find in the message tracking logs.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

Should be able to run this: http://gallery.technet.microsoft.com/scriptcenter/0e43993a-895a-4afe-a2b2-045a5146048a against the Exchange servers an see if his account shows up with a service or batch logon type.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

I am trying to not say to much as this person is a member of the management team so chances are there is no enterprise level scripting or backup runing with his credentials unless it is local to his machine. THe timestamps correspond with entries we compared against our vpn logs so there could be something running on he\she's PC. Having it attached to his profile might be the most likely. Some other interesting facts. The entries are only for a single person on he\she's team. Since having his exchange admin rights taken away there have been no entries at all. Is thee a way to prove he had this calendar attached to he\she's profile.

You would have stoppped seeing the access events as soon as you revoked his permissons. Are you doing any kind of auditing to see if there's still access requests being made?[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

Yes. All auditing has not changed. We just took he\she out of exchange admin group.