Hi Experts,
I would like to know what is the meaning of event ID:1029 for MS Exchange 2003. Apparently it logs when an unauthorized user attempts to access another user's mailbox. But is this 100% accurate? I have a user who apparently is attempting to access executive mailboxes. I checked his PC for mapped mailboxes but there is no trace. Also this person is not too knowledgeable of PCs, to the point where he needs assitance logging off his PC. How can I isolate the origin of these events? I thought it could be caused by Public Folder access activity, but the targeted user's don't have any Public folders.
Sample Event Log:
xxxx.corp.xxxx.com 1029 MSExchangeIS Mailbox Store [email protected] failed an operation because the user did not have the following access rights: 'Delete' 'Read Property' 'Write Property' 'Create Message' 'View Item' 'Create Subfolder' 'Write Security Descriptor' 'Write Owner' 'Read Security Descriptor' 'Contact' The distinguished name of the owning mailbox is /O=xxxx/OU=xxxxxx/CN=RECIPIENTS/CN=johnDoe. The folder ID is in the data section of this event. For more information, click http://www.microsoft.com/contentredirect.asp.
|
