Skip navigation

Troubleshooter: Tracking Down Mailbox Snoops

I suspect—but can't prove—that someone with administrator privileges on our Exchange Server 5.5 machine is abusing the privilege by reading others' mailboxes. Can I track this access on individual mailboxes and find out exactly who's reading them (or at least narrow it down)?

Exchange 5.5 logs event ID 1016 every time a user attempts to open another user's mailbox by logging on with an account that's not the mailbox's primary account. Legal and common accesses (e.g., when my wife opens my calendar) generate the event ID too, making it difficult to filter out the information you're not interested in (e.g., some antivirus products generate these messages when they log on to scan a mailbox). Exchange generates event ID 1016 whether or not you've turned on diagnostic logging, but if you're trying to catch someone in flagrante delicto, you can increase the level of diagnostic logging for the Logons and Access Control category of the MSExchangeIS—Private service. Watch for event ID 1013, which signifies that a client has logged on to its primary mailbox, then successfully opened another user's mailbox. (The Microsoft article "XADM: How to View Windows NT Accounts That Access Mailboxes in Exchange Server" at http://support.microsoft.com/default.aspx?scid=kb;en-us;q274317 provides details about the process.)

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish