Hello, I user Exchange 2007 and I see that on my boss account the LastLoggedOnUserAccount display a user in my company who does not have the full access right neither GrantSendOnBehalfTo on my boss account. I wonder how come a user who does not have right could even appear on that field and if that user has been able to see my boss emails? Many thanks if you could help me on that.. Graig

The access doesn't have to be a user with full access permissions, it can be anyone who's been delegated any kind of access to any folder in the mailbox. For example, if his secretary is a Review delegate on his calendar, when she goes to his mailbox to look at the calendar, that involves a logon to the mailbox.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

Oufff Thanks Mjolinor (long time no talk :-)) Would you know any way to check who may have access my boss account? Any logs I could check. Many thanks in advance and tahnks for the clarification! Graig

In 2007, you can use get-mailboxpermission to see who has been granted access adminstratively (either from the EMC, or with add-mailboxpermission). Exchange 2010 added the get-mailboxfolderpermission cmdlet that will show you the folder delegates, but I don't think that was ever an option in 2007. You can use the Exchange Web Services managed API http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=13480 and a Powershell script to get the delegates, but other than going into his mailbox and checking all the folders, I don't know another way. Here's a script I've used to get the delegates on a mailbox. You'll need to download and install th EWS API, and modify the script by putting in the email address of the mailbox you want to check, and the FQDN of one of your CAS servers. You'll need full access permission to the mailbox for the script to work. $MailboxName = "user@domain" $dllpath = “C:\Program Files\Microsoft\Exchange\Web Services\1.1\Microsoft.Exchange.WebServices.dll” [void][Reflection.Assembly]::LoadFile($dllpath) $fcPropset = new-object Microsoft.Exchange.WebServices.Data.PropertySet([Microsoft.Exchange.WebServices.Data.BasePropertySet]::FirstClassProperties) $service = new-object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1) $uri=[system.URI] “https:<CAS server FQDN>/ews/exchange.asmx” $service.Url = $uri $del = $service.getdelegates($mailboxname,$true) $del.DelegateUserResponses[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

Thanks I will try that out. Though, I could not find the path: C:\Program Files\Microsoft\Exchange\Web Services\1.1\Microsoft.Exchange.WebServices.dll I haven't installed Exchange Web Services managed API yet, maybe it is the reason why the path doesn't appear.. By the way, I see that on the full access right I have users as: S-1-5-31-1529805484-2403817672-2485993314-2593 what does these numbers mean? Thanks again for your help!

That's an orphan permission. It means at some point an account or group was given permission tio the mailbox, and then the account or group was removed from the domain without removing the permission entry from the mailbox. The string you see there was the SID of the account or group. It's displaying that because it can't resolve that SID to a name any more. [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

When running the script I gto that error: Exception calling "GetDelegates" with "3" argument(s): "The request failed. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS s At C:\CHECK.ps1:12 char:29 + $del = $service.getdelegates( <<<< $mailboxname,$true) --> Would that script help me to know who has connected to my boss account?? In fact he suspects that someone used maybe his credential to connect the account. He would like me to find all connection made on his mailbox. Is that possible to check date and time log for the past month? Graig

That script won't help determine who's been accessing the mailbox. Your best option (assuming you have SP2) would be Mailbox Access Auditing: http://technet.microsoft.com/en-us/library/ee221156(EXCHG.80).aspx Not sure what's going on with the error. I don't have any Exchange 2007 servers left to test on, so I may not be much help debugging. Check the mailbox to make sure it's enabled for EWS. You can test it on your own mailbox first to see if it might be a permssion issue.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "