Q260835: XADM: How to Log Mailbox Access by Computer Name
Article: Q260835
Product(s): Microsoft Exchange
Version(s): winnt:5.5
Operating System(s):
Keyword(s): exc55
Last Modified: 09-AUG-2000
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Exchange Server, version 5.5
-------------------------------------------------------------------------------
SUMMARY
=======
In some cases, there may be a need to discover which computer a user is using to
access a mailbox. You can obtain this information by using a combination of
Microsoft Windows NT auditing and Microsoft Exchange Server diagnostic logging.
MORE INFORMATION
================
The following sets of steps are performed in User Manager and the Exchange
Server Administrator program for the server being accessed by the user.
Use Windows NT auditing to determine which system a user logged on from; to do
so, follow these steps:
1. Start User Manager for Domains.
2. Click Audit on the Policies menu.
3. Click to select the Success check box in the "Logon and Logoff" category.
Optionally, you may also select the Failure check box.
After you have completed these steps, Windows NT logs an event in the Security
Event Log for each successful logon attempt. The log appears similar to the
following example:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 4/25/2000
Time: 4:54:33 PM
User: Domain\UserName
Computer: ServerX
Description:
Successful Logon:
User Name: Administrator
Domain: Domain
Logon ID: (0x0,0x3F0D6)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: ComputerX
Use Exchange Server diagnostic logging to determine which user account was used
to log on to a particular mailbox; to do so, follow these steps:
1. Start the Exchange Server Administrator program.
2. Select the server where the mailboxes are homed.
3. Click Properties on the File menu.
4. Select the Diagnostics Logging tab.
5. In the Services pane, expand MSExchangeIS, and then select Private.
6. In the Category pane, click Logons, and then change the Logging level to
Maximum.
7. Click OK.
After you have completed these steps, Exchange Server logs an event in the
Application Event Log for each successful logon attempt. The log is similar to
the following example:
Event Type: Success Audit
Event Source: MSExchangeIS Private
Event Category: Logons
Event ID: 1009
Date: 4/25/2000
Time: 4:54:33 PM
User: N/A
Computer: ServerX
Description:
Domain\UserName logged on as
/o=Organization/ou=Site/cn=Recipients/cn=Mailbox
Finally, to determine the computer used to access the mailbox, follow these
steps:
1. Find the event ID 1009 that is generated in the Application Event Log when
the mailbox in question is accessed.
2. Note the time that the event ID 1009 is generated.
3. Find the event ID 528 generated in the Security Event Log with the same time
as the event ID 1009 noted above.
4. Match event IDs 1009 and 528 by their common time of generation.
These matching event IDs reference the computer and the account (respectively)
used to access the mailbox.
For additional information about other auditing options available in Windows NT,
click the article number below to view the article in the Microsoft Knowledge
Base:
Q175062 How To Determine from Which Computer a User Logged On
Additional query words:
======================================================================
Keywords : exc55
Technology : kbExchangeSearch kbExchange550 kbZNotKeyword2
Version : winnt:5.5
Issue type : kbhowto
=============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright Microsoft Corporation 1986-2002.