none
How do I know who delete a mailbox in Exchange System Manager? RRS feed

  • 問題

  •  

    Hi,

     

    Can anyone pls help! I found that one of my Exchange administrator deleted a user mailbox in secret. But I don't know who did that! So how can I track and where can I get the audit trail regarding mailbox creation and deletion in the future?

     

    Many thanks,

    Anna

    2008年9月19日 上午 09:51

解答

  •  

     Dear customer:

     

    Thanks for Chaub’s reply.

     

    You can try the following steps to achieve your goal.

     

    1. Enable the “Audit Directory Service Access” and “Audit Account management” in the domain controller security policy,
    2. Now when you access the AD objects you will get an Event ID 565 for Directory Service Access and Event ID 624/642/628 for Account Management in the Security log.

    I believe based on the above information we should be able to capture the events in the MOM. For more information on writing rules and using MOM 2005, refer to the Operations Guide at

    http://www.microsoft.com/downloads/details.aspx?FamilyId=A0E40758-CAB8-4588-B0F2-1508D84906CC&displaylang=en

     

    I hope the above information should assist you in capture the required events. Please let me know if you have any questions or comments on this issue,

     

    Rock Wang - MSFT

    2008年9月22日 上午 06:03
    版主

所有回覆

  • Hello Anna,

     

    i have some clients use following tools for the Exchange system Audit. it can provide audit report & Control. i hope it can help you.

     

    http://www.netpro.com/products/security-compliance/change-auditing/ChangeAuditor-for-Exchange/

    http://www.quest.com/InTrust-Plug-in-for-Exchange/

     

    Thanks

    2008年9月21日 上午 02:43
  •  

     Dear customer:

     

    Thanks for Chaub’s reply.

     

    You can try the following steps to achieve your goal.

     

    1. Enable the “Audit Directory Service Access” and “Audit Account management” in the domain controller security policy,
    2. Now when you access the AD objects you will get an Event ID 565 for Directory Service Access and Event ID 624/642/628 for Account Management in the Security log.

    I believe based on the above information we should be able to capture the events in the MOM. For more information on writing rules and using MOM 2005, refer to the Operations Guide at

    http://www.microsoft.com/downloads/details.aspx?FamilyId=A0E40758-CAB8-4588-B0F2-1508D84906CC&displaylang=en

     

    I hope the above information should assist you in capture the required events. Please let me know if you have any questions or comments on this issue,

     

    Rock Wang - MSFT

    2008年9月22日 上午 06:03
    版主
  • Hi Rock,

     

    I tried the steps you suggested but I found only "user account deletion" can be tracked in the Security log. If the administrator deletes only the mailbox using Exchange Tasks without removing the user account, no information is shown in the log even the "Audit Directory Service Access" and "Audit Account Management" enabled in DC security policy.

     

    Many thanks,

    Anna

     

    2008年9月22日 上午 08:41
  • Dear customer:

     

    Thanks for your reply.

     

    When someone delete mailbox via Exchange task, system will record the operation in a .xml file which is under C:\Documents and Settings\username\My Documents\Exchange Task Wizard Logs folder. You can check runas section.

     

    Hope it helps.

     

    Rock Wang - MSFT

    2008年9月22日 上午 08:49
    版主
  • Hi Rock,

     

    Thanks for your information. But if the administrator installed the ESM console at his own computer, does that means I can't get the .xml file to check as the file should be on the administrator's PC! It seems this is not the best way to keep track on exchange administrators' actions.

     

    Many thanks,

    Anna

     

     

     

    2008年9月22日 上午 09:41
  • Hi Anna,

     

    Yes, It have some limitation for your trace the account change by default Windows & Exchange Logging. Therefore, Some Company would use some third-party tools. Thanks  

    2008年9月22日 下午 03:12
  • Hi Chaub,

     

    Thanks for your information. Could you recommend which tool should be used for dummy just like me? the NetPro one or the Quest one? I checked the web sites you provided and found NetPro is also a part of the Quest, so means the two tools are similar? Which one is easiler to deploy and use?

     

    Many thanks again,

    Anna

     

    2008年9月22日 下午 03:31
  • Yes, Both of Quest or Nepro tools is similar. And  Quest Software Acquires NetPro Computing, Inc. on SEP.  i does not have too much experiences on both tools, so i am not sure which oe should be better. However, From Clients experiences, Netpro Should be better  his enviorments. Anyway, If Netpro tools is not goo tools or Company, Why Quest acquires Netpro. 

    2008年9月23日 上午 02:41
  • Dear customer:

     

    You can try to use MOM 2005 to monitor who create or delete mailbox operation, for more information about MOM 2005, please refer to the following article:

     

    http://www.microsoft.com/downloads/details.aspx?FamilyId=A0E40758-CAB8-4588-B0F2-1508D84906CC&displaylang=en

     

    In addition, we advice you to post the issue into the following forum, maybe you can get more help in there.

     

    Microsoft Technical Support Forum - Hong Kong » IT Professional Discussion Forum » Management Server  

    http://forums.microsoft.com/hongkong/ShowForum.aspx?ForumID=2045&SiteID=82

     

    Hope it helps.

     

    Rock Wang - MSFT

     

    2008年9月24日 上午 09:49
    版主
  • Indeed, NetPro or I should say Quest/NetPro ChangeAuditor for AD, Exchange, File System & SQL has the better price & performance ratio than Quest's InTrust + Exchange module but Quest is stronger on the reporting side but IMO not as simple as NetPro when it comes to installation & deployment. NetPro's products cost less than Quest's but for Change Management under AD/Exchange/File System/SQL, I recommend NetPro's over Quest's b/c for large # of active AD objects the bottom line for NetPro is always cheaper but b/f making a purchase,  pls play w/ the eval version first. Good luck! 

     

    2008年10月9日 下午 12:40