Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Many log entries are generated on an Exchange Server 2007 computer when you enable the Exchange log to audit user logons that do not use the primary account for their mailbox


View products that this article applies to.

Symptoms

In Microsoft Exchange Server 2007, log entries are generated when you enable the Exchange log to audit user logons that do not use the primary account for their mailbox. For example, the events that are generated in this scenario resemble the following:
Event ID            1016
Event Source     MSExchangeIS Mailbox Store
Event Type        Success Audit
Event Category  Logons
Description        Windows 2000 User <domain\user> logged on to <mailbox address> mailbox, and is not the primary Windows 2000 account on this mailbox.
Many log entries are generated in this scenario because all varieties of logons are audited. There is currently no way to audit logons only from actual users and not from system access events.

Note You can run the set-eventloglevel command in Exchange Management Shell to enable logging against user logons. This command resembles the following:
set-eventloglevel -identity "MSExchange IS\9000 Private\Logons" -level low/medium/high/expert

↑ Back to the top


Resolution

To resolve this problem, install Update Rollup 8 for Exchange 2007 Service Pack 1. For more information about Update Rollup 8 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic: For more information about how to obtain the latest Exchange service pack or update rollup, see the following Exchange Help topic:

↑ Back to the top


More information

After you install this hotfix rollup, Exchange 2007 server will audit only successful instances of access to a user's folder in a mailbox. The auditing event details will resemble the following:
Event ID	10100
Event Source	MSExchangeIS Auditing
Description	The folder <folder name> in Mailbox '<mailbox name>' was opened by user <domain\user>
Display Name: <folder name>
Accessing User: <legacyExchangeDN of the mailbox user>
Mailbox: <legacyExchangeDN of the mailbox user>
Administrative Rights: xx
Client Information (if Available):
Machine Name: <machine>
Process Name: xx
Process Id: xx
Application Id: xx

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


Keywords: KB968310, kbqfe, kbexpertiseadvanced, kbexpertiseinter, kbhotfixrollup, kbarchive, kbnosurvey

↑ Back to the top

Article Info
Article ID : 968310
Revision : 2
Created on : 1/16/2015
Published on : 1/16/2015
Exists online : False
Views : 322