To resolve this problem, install the following update rollup:
2279665 Description of Update Rollup 1 for Exchange Server 2007 Service Pack 3
After you apply this update, a new attribute named
ProtocolLogonAudit is created for the Exchange organization object. You can use the
Set-OrganizationConfig cmdlet to set the value for the
ProtocolLogonAudit attribute to
True or
False. The default setting is
False. Therefore, the successful connecting information not to be logged.
Additionally, there is a setting for each Exchange Server 2007 server to override the Exchange organization setting. You can set the value for the
ProtocolLogonAudit attribute in the
Microsoft.Exchange.Imap4.exe.config file and in the
Microsoft.Exchange.Pop3.exe.config file for each Exchange Server 2007 server in the Exchange organization. To log all the connecting information, add the following information in the <appSettings> section in the
Microsoft.Exchange.Imap4.exe.config file and in the
Microsoft.Exchange.Pop3.exe.config file:
<appSettings>
......
<add key="ProtocolLogonAudit" value="1" />
</appSettings>
Note If you set the value to "0" or you do not configure this setting, the Exchange Server 2007 server uses the Exchange organization setting. If you set the value to "2", the auditing is disabled. Then the successful connecting information is not logged.
After you enable the
ProtocolLogonAudit attribute, you have to restart the
Microsoft Exchange IMAP4 service and the
Microsoft Exchange POP3 service for the settings to take effect. Then, If a user accesses a mailbox successfully by using POP3 or by using IMAP4, the following event is logged:
Event Type: Information
Event Source: MSExchangeIMAP4/MSExchangePOP3
Event ID: 2104
Description:
User "
<user name>" logged into mailbox "
<mailbox name>"
RemoteUser:
<domain>\
<user account>Mailbox:
<mailbox name>ProtocolServiceName:
<IMAP4 or POP3>TimeStamp:
<date, time>ClientEndpoinr:
<IP address:port>