How to monitor mailbox access by auditing or by viewing Mailbox Resources in Exchange Server

INTRODUCTION

Your organization may want to monitor mailbox access for security purposes. In Exchange, you can do this by auditing or by viewing Mailbox Resources in the Exchange Administrator program or in Exchange System Manager. This article describes some of the limitations that pertain to this kind of monitoring.

More Information

The following event may be logged in the application event log. This event indicates that an account accessed a Microsoft Exchange Server 5.5 mailbox, but that it is not the primary account for that mailbox.In Microsoft Exchange 2000 Server and in Microsoft Exchange Server 2003, you may see the following event:This event may be logged in circumstances where no security breach has occurred. For example, this event may be logged when a service or an add-in has to use an account that has access to all mailboxes. Examples of accounts that have access to all mailboxes are service accounts or administrator accounts. Examples of services or add-ins that have to use these kinds of accounts include antivirus software, backup agents, or Microsoft Exchange Mailbox Manager.

Exchange Server 5.5 records event 1016 in the application event log regardless of how you set the diagnostic logging level in the Microsoft Exchange Information Store service (Store.exe). Exchange 2000 and Exchange 2003 only log event 1016 in the application event log when the diagnostic logging level is set to at least Minimum in the Logons category of the Microsoft Exchange Information Store service.

This event is also logged when you try to access another user's mailbox or calendar, even if you have permission to access the mailbox or the calendar. This event is logged regardless of whether your attempt to access the user's mailbox or calendar is successful or unsuccessful. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

301328 A 1016 event entry appears in the application event log after you upgrade to Outlook 2002

In Mailbox Resources, this information is updated in the following situations:
  • When an account logs on to a mailbox successfully. For example, if Jane Doe has the required permissions and logs on to John Doe's mailbox, the Mailbox Resources tab will show that the account (Jane Doe) is logged on to the Exchange Mailbox (John Doe) at the time that the user logged on.
  • When a user tries to access another user’s mailbox folders, such as the Inbox, Calendar, Contacts, Journal, Tasks, or Notes folders. For example, Jane Doe logs on to her own mailbox and then tries to gain access to John Doe's calendar. She receives a message that states that she does not have permissions. However, the Mailbox Resources tab shows that the account (Jane Doe) is logged on to the Exchange Mailbox (John Doe) at the time that the user logged on.
  • When an account logs on to a mailbox, Mailbox Resources is updated to show that the Exchange Service Account has logged on to the System Attendant mailbox.

    Note The Exchange Service Account is the account that is used to start the Microsoft Exchange System Attendant service.
Although you can use Mailbox Resources to see when someone logs on to their mailbox or to another mailbox, Mailbox Resources has some important limitations that you must know about. Following are these limitations:
  • Mailbox Resources does not show which folder is being logged on to. For example, Mailbox Resources does not indicate whether it is the Inbox, the Calendar, or the Contacts folder.
  • Mailbox Resources does not show whether the logon was successful or unsuccessful.
For more information about mailbox access, click the following article number to view the article in the Microsoft Knowledge Base:

274317 How to view Windows NT accounts that access mailboxes in Exchange Server

Properties

Article ID: 867640 - Last Review: Oct 25, 2007 - Revision: 1

Feedback