The User account is not logged in Event ID 566 after the user makes changes to a mailbox

Symptoms

In Microsoft Exchange Server 2007, you enable "auditing" to audit changes made to Mailbox Security Descriptor. After you do this, Event ID 566 in the Security log for such modifications include only the computer account and excludes the administrator account. When you check the event ID 566 in the Security log on a Domain Controller, you see an event that resembles the following:
Event Type:Success Audit Event Source:Security Event Category:Directory Service Access Event ID:566 User: <domain name> \ <machine account of the mailbox server> 
Computer: <DC server name>
Description: Object Operation: Object Server:DS Operation Type:Object Access Object Type:user Object Name: <CN of the mailbox>
Handle ID:- Primary User Name: <DC server name>
Primary Domain: <domain name>
Primary Logon ID:(0x0,0x3E7) Client User Name: <machine account of the mailbox server>
Client Domain: <domain name>
Client Logon ID:(0x0,0xA63006) Accesses:Write Property Properties: Write Property Exchange Information msExchMailboxSecurityDescriptor user Additional Info: Additional Info2: Access Mask:0x20 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Cause

In Exchange Server 2007, the Store.exe process executes any changes a user makes to the mailbox permissions. Additionally, the Store.exe process runs under the computer account. Therefore, the computer account and not an administrator account, records the auditing.

Resolution

To resolve this problem, install the following update rollup:
971534 Description of Update Rollup 1 for Exchange Server 2007 Service Pack 2


Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
After you apply this update, you must set a registry entry to record the specific administrator account. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Diagnostics\9000 Private
  3. On the Edit menu, point to
    New, and then click DWORD Value.
  4. Type 9078 Administrative Actions to name this new entry, and then press ENTER.
  5. Right-click 9078 Administrative Actions, and then click Modify.
  6. Under Base, click
    Decimal.
  7. In the Value data box, type 1, and then click OK.
  8. After you configure this registry entry, restart the computer.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Properties

Article ID: 967174 - Last Review: Nov 19, 2009 - Revision: 1

Feedback