最佳解答者
How do I know who delete a mailbox in Exchange System Manager?

問題
解答
-
Dear customer:
Thanks for Chaub’s reply.
You can try the following steps to achieve your goal.
- Enable the “Audit Directory Service Access” and “Audit Account management” in the domain controller security policy,
- Now when you access the AD objects you will get an Event ID 565 for Directory Service Access and Event ID 624/642/628 for Account Management in the Security log.
I believe based on the above information we should be able to capture the events in the MOM. For more information on writing rules and using MOM 2005, refer to the Operations Guide at
http://www.microsoft.com/downloads/details.aspx?FamilyId=A0E40758-CAB8-4588-B0F2-1508D84906CC&displaylang=en
I hope the above information should assist you in capture the required events. Please let me know if you have any questions or comments on this issue,
Rock Wang - MSFT
所有回覆
-
Hello Anna,
i have some clients use following tools for the Exchange system Audit. it can provide audit report & Control. i hope it can help you.
http://www.netpro.com/products/security-compliance/change-auditing/ChangeAuditor-for-Exchange/
http://www.quest.com/InTrust-Plug-in-for-Exchange/
Thanks
-
Dear customer:
Thanks for Chaub’s reply.
You can try the following steps to achieve your goal.
- Enable the “Audit Directory Service Access” and “Audit Account management” in the domain controller security policy,
- Now when you access the AD objects you will get an Event ID 565 for Directory Service Access and Event ID 624/642/628 for Account Management in the Security log.
I believe based on the above information we should be able to capture the events in the MOM. For more information on writing rules and using MOM 2005, refer to the Operations Guide at
http://www.microsoft.com/downloads/details.aspx?FamilyId=A0E40758-CAB8-4588-B0F2-1508D84906CC&displaylang=en
I hope the above information should assist you in capture the required events. Please let me know if you have any questions or comments on this issue,
Rock Wang - MSFT
-
Hi Rock,
I tried the steps you suggested but I found only "user account deletion" can be tracked in the Security log. If the administrator deletes only the mailbox using Exchange Tasks without removing the user account, no information is shown in the log even the "Audit Directory Service Access" and "Audit Account Management" enabled in DC security policy.
Many thanks,
Anna
-
Dear customer:
Thanks for your reply.
When someone delete mailbox via Exchange task, system will record the operation in a .xml file which is under C:\Documents and Settings\username\My Documents\Exchange Task Wizard Logs folder. You can check runas section.
Hope it helps.
Rock Wang - MSFT
-
Hi Rock,
Thanks for your information. But if the administrator installed the ESM console at his own computer, does that means I can't get the .xml file to check as the file should be on the administrator's PC! It seems this is not the best way to keep track on exchange administrators' actions.
Many thanks,
Anna
-
Hi Chaub,
Thanks for your information. Could you recommend which tool should be used for dummy just like me? the NetPro one or the Quest one? I checked the web sites you provided and found NetPro is also a part of the Quest, so means the two tools are similar? Which one is easiler to deploy and use?
Many thanks again,
Anna
-
Yes, Both of Quest or Nepro tools is similar. And Quest Software Acquires NetPro Computing, Inc. on SEP. i does not have too much experiences on both tools, so i am not sure which oe should be better. However, From Clients experiences, Netpro Should be better his enviorments. Anyway, If Netpro tools is not goo tools or Company, Why Quest acquires Netpro.
-
Dear customer:
You can try to use MOM 2005 to monitor who create or delete mailbox operation, for more information about MOM 2005, please refer to the following article:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A0E40758-CAB8-4588-B0F2-1508D84906CC&displaylang=en
In addition, we advice you to post the issue into the following forum, maybe you can get more help in there.
Microsoft Technical Support Forum - Hong Kong » IT Professional Discussion Forum » Management Server
http://forums.microsoft.com/hongkong/ShowForum.aspx?ForumID=2045&SiteID=82
Hope it helps.
Rock Wang - MSFT
-
Indeed, NetPro or I should say Quest/NetPro ChangeAuditor for AD, Exchange, File System & SQL has the better price & performance ratio than Quest's InTrust + Exchange module but Quest is stronger on the reporting side but IMO not as simple as NetPro when it comes to installation & deployment. NetPro's products cost less than Quest's but for Change Management under AD/Exchange/File System/SQL, I recommend NetPro's over Quest's b/c for large # of active AD objects the bottom line for NetPro is always cheaper but b/f making a purchase, pls play w/ the eval version first. Good luck!