In Microsoft Exchange Server 2007, you enable "auditing" to audit changes made to Mailbox Security Descriptor. After you do this, Event ID 566 in the Security log for such modifications include only the computer account and excludes the administrator account. When you check the event ID 566 in the Security log on a Domain Controller, you see an event that resembles the following:
Event Type: Success AuditEvent Source: SecurityEvent Category: Directory Service Access Event ID: 566User: <domain name>\<machine account of the mailbox server>Computer: <DC server name>Description:Object Operation: Object Server: DS Operation Type: Object Access Object Type: user Object Name: <CN of the mailbox> Handle ID: - Primary User Name: <DC server name> Primary Domain: <domain name> Primary Logon ID: (0x0,0x3E7) Client User Name: <machine account of the mailbox server> Client Domain: <domain name> Client Logon ID: (0x0,0xA63006) Accesses: Write Property Properties: Write Property Exchange Information msExchMailboxSecurityDescriptor user Additional Info: Additional Info2: Access Mask: 0x20For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
In Exchange Server 2007, the Store.exe process executes any changes a user makes to the mailbox permissions. Additionally, the Store.exe process runs under the computer account. Therefore, the computer account and not an administrator account, records the auditing.
To resolve this problem, install the following update rollup:
971534 Description of Update Rollup 1 for Exchange Server 2007 Service Pack 2
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
After you apply this update, you must set a registry entry to record the specific administrator account. To do this, follow these steps:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey: