Your organization may want to monitor mailbox access for security purposes. In Exchange, you can do this by auditing or by viewing Mailbox Resources in the Exchange Administrator program or in Exchange System Manager. This article describes some of the limitations that pertain to this kind of monitoring.
The following event may be logged in the application event log. This event indicates that an account accessed a Microsoft Exchange Server 5.5 mailbox, but that it is not the primary account for that mailbox.
Event ID: 1016
Source: MSExchangeIS Private
Audit Category: Logons
NT User DOMAIN\username logged on to John Doe mailbox, and is not the primary Windows NT account on this mailbox.
In Microsoft Exchange 2000 Server and in Microsoft Exchange Server 2003, you may see the following event:
Event ID: 1016
Event Source: MSExchangeIS Mailbox Store
Event Type: Success Audit
Event Category: Logons
Description:Windows 2000 User NT AUTHORITY\SYSTEM logged on to firstname.lastname@example.org mailbox,and is not the primary Windows 2000 account on this mailbox.
This event may be logged in circumstances where no security breach has occurred. For example, this event may be logged when a service or an add-in has to use an account that has access to all mailboxes. Examples of accounts that have access to all mailboxes are service accounts or administrator accounts. Examples of services or add-ins that have to use these kinds of accounts include antivirus software, backup agents, or Microsoft Exchange Mailbox Manager.
Exchange Server 5.5 records event 1016 in the application event log regardless of how you set the diagnostic logging level in the Microsoft Exchange Information Store service (Store.exe).Exchange 2000 and Exchange 2003 only log event 1016 in the application event log when the diagnostic logging level is set to at least Minimum
in the Logons category of the Microsoft Exchange Information Store service.
This event is also logged when you try to access another user's mailbox or calendar, even if you have permission to access the mailbox or the calendar. This event is logged regardless of whether your attempt to access the user's mailbox or calendar is successful or unsuccessful. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
A 1016 event entry appears in the application event log after you upgrade to Outlook 2002
In Mailbox Resources, this information is updated in the following situations:
- When an account logs on to a mailbox successfully. For example, if Jane Doe has the required permissions and logs on to John Doe's mailbox, the Mailbox Resources tab will show that the account (Jane Doe) is logged on to the Exchange Mailbox (John Doe) at the time that the user logged on.
- When a user tries to access another user’s mailbox folders, such as the Inbox, Calendar, Contacts, Journal, Tasks, or Notes folders. For example, Jane Doe logs on to her own mailbox and then tries to gain access to John Doe's calendar. She receives a message that states that she does not have permissions. However, the Mailbox Resources tab shows that the account (Jane Doe) is logged on to the Exchange Mailbox (John Doe) at the time that the user logged on.
- When an account logs on to a mailbox, Mailbox Resources is updated to show that the Exchange Service Account has logged on to the System Attendant mailbox.
Note The Exchange Service Account is the account that is used to start the Microsoft Exchange System Attendant service.
Although you can use Mailbox Resources to see when someone logs on to their mailbox or to another mailbox, Mailbox Resources has some important limitations that you must know about. Following are these limitations:
- Mailbox Resources does not show which folder is being logged on to. For example, Mailbox Resources does not indicate whether it is the Inbox, the Calendar, or the Contacts folder.
- Mailbox Resources does not show whether the logon was successful or unsuccessful.
For more information about mailbox access, click the following article number to view the article in the Microsoft Knowledge Base:
How to view Windows NT accounts that access mailboxes in Exchange Server