Another thing you could do, if you're fast enough, is to check the Information Store Mailbox Resources becauase that will tell you the last account to access a mailbox. You could look for his NT ID and look for anything suspicious. He can't delete that. The only gotcha there, of course, is that the owner may login between the time he did and the time you look at the account. Still worth a shot.
Good hunting. Nate Couch EDS Messaging. > ---------- > From: John Matteson > Reply To: Exchange Discussions > Sent: Monday, April 8, 2002 09:17 > To: Exchange Discussions > Subject: RE: Monitoring access > > If I remember correctly, you can set the SECURITY event log to record what > account deleted the Application and System event logs. Unless the account > has the proper permissions (like full local admin), he can't delete that > log. > > John Matteson; Exchange Manager > Geac Corporate Infrastructure Systems and Standards > (404) 239 - 2981 > Defeat is a state of mind. No one is ever defeated until defeat has been > accepted as a reality. To me, defeat in anything is merely temporary, and > its punishment is but an urge for me to greater effort to achieve my goal. > Defeat simply tells me that something is wrong in my doing; it is a path > leading to success and truth. --Bruce Lee > > > > -----Original Message----- > From: Dillon, Jeff [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 08, 2002 10:04 AM > To: Exchange Discussions > Subject: RE: Monitoring access > > > You need two levels of admin password...a master that you hold, and > personal > admin equivs for the jerks. LET HIM GET SUSPICIOUS because he might stop > at > that point. > > -----Original Message----- > From: David Fortuna [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 08, 2002 10:02 AM > To: Exchange Discussions > Subject: Monitoring access > > > I have an exchange 5.5 e-mail server running on Windows NT 4.0 server. > I have a network tech that is accessing peoples mailboxes just for the > sake of snooping. This is something I have had trouble prooving, > everytime he does it he deletes the log created in the event viewer of the > NT server. If there was a way to recover the event viewer it would be > easy to prove. Is there a way within Exchange to prove something like > this. > I do not want to get him suspicous by removing his rights to access > things. > > Please help!!! > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
