Q183674: XADM: How to Find What User Is Changing Objects in Administrator
Article: Q183674
Product(s): Microsoft Exchange
Version(s): winnt:4.0,5.0,5.5
Operating System(s):
Keyword(s): kbusage
Last Modified: 15-MAY-1999
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Exchange Server, versions 4.0, 5.0, 5.5
-------------------------------------------------------------------------------
SUMMARY
=======
A user with Administrator rights can delete Exchange objects, either
inadvertently or maliciously. This article explains how to:
1. Find the Exchange Server computer where unwanted changes are being made.
2. Find which user is making changes to specific objects while attached to that
server.
This procedure allows tracking of changes made through bulk imports as well as
through the normal Administrator program interface.
MORE INFORMATION
================
An object in the Exchange directory is anything that has Properties viewable in
Exchange Administrator, including users, distribution lists, connectors, and
even the Organization object itself. Objects and changes to objects are
automatically replicated and synchronized among all servers in an Exchange site,
or even between sites (if a Directory Replication Connector is configured).
By examining the Raw Properties of an object in Administrator, you can tell from
which server in a site an object was last changed. By turning up Directory
Service diagnostics logging for Security on a server, you can tell who is making
changes to objects from that server.
The directory service on each Exchange Server computer has a unique
Invocation-ID. When an object is changed from a server, the server's
Invocation-ID is written to the object's DSA-Signature property. When the object
is replicated to other servers, the DSA-Signature goes with it, thus identifying
the server from which the change was made.
To check the DSA-Signature of an object, do the following:
WARNING: Using the raw mode of the Exchange Administrator program (admin /r)
incorrectly can cause serious problems that may require you to reinstall
Microsoft Windows NT Server and/or Microsoft Exchange Server. Microsoft cannot
guarantee that problems resulting from the incorrect use of raw mode can be
solved. Use raw mode at your own risk.
1. Start the Exchange Server Administrator program in raw mode by typing the
following at a command prompt:
admin/r
By default, the Administrator program is in the \exchsrvr\bin directory.
2. Select your object of interest, and view its raw properties by choosing Raw
properties on the File menu, or pressing SHIFT+ENTER.
3. Find DSA-Signature in the Object Attributes list. The following is an example
of a typical DSA-Signature value:
70F3248C5EC3D111A11800805F299FC3
You should clip or jot down the DSA-Signature.
TIP: In most cases, the last half dozen characters are unique within a site,
so you do not need to write down the entire string.
To match the DSA-Signature of an object to the Invocation-ID of a server:
1. Exit the raw properties of the object, and select the local <Site>
object (which appears bold in the list of sites), and view its raw
properties.
2. Select the Reps-From object attribute of the <Site> object. NOTE: This
attribute exists only if there are two or more servers in the site.
The Reps-From attribute is multivalued and contains as many values as there
are servers in the site, less one. A typical Reps-From value for a server
looks like this:
0,112,16,1562,70F3248C5EC3D111A11800805F299FC3,PRO800
Fields in the value are delimited by commas. The last field is the server
name. The second-to-last field is the server's Invocation-ID.
In Administrator, you cannot usually see the entire string, but you can use
the horizontal scroll bar to view the end rather than the beginning of the
string.
When you find a match between the Invocation-ID listed here for a server and
the DSA-Signature you noted previously, you have found the server that last
changed the object.
To track who is making changes to objects from a given server:
1. In Exchange Administrator, select the server of interest. TIP: If you attach
directly to this server by choosing Connect to Server from the File menu,
your changes take effect immediately. Otherwise, you must wait for changes to
replicate to the server.
2. View the <Server> properties by choosing Properties on the File menu,
or pressing ALT+ENTER and then selecting the Diagnostics Logging property
tab.
3. Select MSExchangeDS and turn Security logging to maximum.
4. To view administrative accesses to Exchange objects from this server, run the
Event Viewer and select the Application log. Filter Events to show only
events from source MSExchangeDS with a category of Security. Event 1053 will
be logged when objects are changed, and the event will record the logon ID
that was used to make the change.
The following is an example of the description for such an event. This event
was logged when removing a user from a distribution list called "test."
User: PRO\Administrator
Computer: PRO800
Event ID: 1053
Source: MSExchangeDS
Type: Information
Category: Security
Description: The security descriptor granted 0x2 access on object
/o=Microsoft/ou=PRO/cn=Recipients/cn=test for this user.
Additional query words: delete DL mailbox
======================================================================
Keywords : kbusage
Technology : kbExchangeSearch kbExchange500 kbExchange550 kbExchange400 kbZNotKeyword2
Version : winnt:4.0,5.0,5.5
Issue type : kbhowto
=============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright Microsoft Corporation 1986-2002.