Many log entries are generated on an Exchange Server 2007 computer when you enable the Exchange log to audit user logons that do not use the primary account for their mailbox

Article translations Article translations
Article ID: 968310 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

In Microsoft Exchange Server 2007, log entries are generated when you enable the Exchange log to audit user logons that do not use the primary account for their mailbox. For example, the events that are generated in this scenario resemble the following:
Event ID            1016
Event Source     MSExchangeIS Mailbox Store
Event Type        Success Audit
Event Category  Logons
Description        Windows 2000 User <domain\user> logged on to <mailbox address> mailbox, and is not the primary Windows 2000 account on this mailbox.
Many log entries are generated in this scenario because all varieties of logons are audited. There is currently no way to audit logons only from actual users and not from system access events.

Note You can run the set-eventloglevel command in Exchange Management Shell to enable logging against user logons. This command resembles the following:
set-eventloglevel -identity "MSExchange IS\9000 Private\Logons" -level low/medium/high/expert

RESOLUTION

To resolve this problem, install Update Rollup 8 for Exchange 2007 Service Pack 1. For more information about Update Rollup 8 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic:
Description of Update Rollup 8 for Exchange Server 2007 Service Pack 1
For more information about how to obtain the latest Exchange service pack or update rollup, see the following Exchange Help topic:
How to Obtain the Latest Service Pack or Update Rollup for Exchange 2007

MORE INFORMATION

After you install this hotfix rollup, Exchange 2007 server will audit only successful instances of access to a user's folder in a mailbox. The auditing event details will resemble the following:
Event ID	10100
Event Source	MSExchangeIS Auditing
Description	The folder <folder name> in Mailbox '<mailbox name>' was opened by user <domain\user>
Display Name: <folder name>
Accessing User: <legacyExchangeDN of the mailbox user>
Mailbox: <legacyExchangeDN of the mailbox user>
Administrative Rights: xx
Client Information (if Available):
Machine Name: <machine>
Process Name: xx
Process Id: xx
Application Id: xx

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Properties

Article ID: 968310 - Last Review: May 19, 2009 - Revision: 1.1
APPLIES TO
  • Microsoft Exchange Server 2007 Service Pack 1, when used with:
    • Microsoft Exchange Server 2007 Standard Edition
    • Microsoft Exchange Server 2007 Enterprise Edition
Keywords: 
kbhotfixrollup kbexpertiseinter kbexpertiseadvanced kbqfe KB968310

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com