XADM: How to Find What User Is Deleting or Editing Objects in Administrator
ID: Q183674
|
The information in this article applies to:
-
Microsoft Exchange Server, versions 4.0, 5.0, 5.5
SUMMARY
A user with Administrator rights can delete Exchange objects, either
inadvertently or maliciously. This article explains how to:
- Find the Exchange Server computer where unwanted changes are being made.
- Find which user is making changes to specific objects while attached to
that server.
This procedure allows tracking of changes made through bulk imports as
well as through the normal Administrator program interface.
MORE INFORMATION
An object in the Exchange directory is anything that has Properties
viewable in Exchange Administrator, including users, distribution lists,
connectors, and even the Organization object itself. Objects and changes to
objects are automatically replicated and synchronized among all servers
in an Exchange site, or even between sites (if a Directory Replication
Connector is configured).
By examining the Raw Properties of an object in Administrator, you can tell
from which server in a site an object was last changed. By turning up
Directory Service diagnostics logging for Security on a server, you can
tell who is making changes to objects from that server.
The directory service on each Exchange Server computer has a unique
Invocation-ID. When an object is changed from a server, the server's
Invocation-ID is written to the object's DSA-Signature property. When the
object is replicated to other servers, the DSA-Signature goes with it, thus
identifying the server from which the change was made.
To check the DSA-Signature of an object, do the following:
WARNING: Using the raw mode of the Exchange Administrator program (admin
/r) incorrectly can cause serious problems that may require you to
reinstall Microsoft Windows NT Server and/or Microsoft Exchange Server.
Microsoft cannot guarantee that problems resulting from the incorrect use
of raw mode can be solved. Use raw mode at your own risk.
- Start the Exchange Server Administrator program in raw mode by typing
the following at a command prompt:
admin/r
By default, the Administrator program is in the \exchsrvr\bin directory.
- Select your object of interest, and view its raw properties by choosing
Raw properties on the File menu, or pressing SHIFT+ENTER.
- Find DSA-Signature in the Object Attributes list. The following is an
example of a typical DSA-Signature value:
70F3248C5EC3D111A11800805F299FC3
You should clip or jot down the DSA-Signature.
TIP: In most cases, the last half dozen characters are unique within a
site, so you do not need to write down the entire string.
To match the DSA-Signature of an object to the Invocation-ID of a server:
- Exit the raw properties of the object, and select the local <Site>
object (which appears bold in the list of sites), and view its raw
properties.
- Select the Reps-From object attribute of the <Site> object. NOTE: This
attribute exists only if there are two or more servers in the site.
The Reps-From attribute is multivalued and contains as many values as
there are servers in the site, less one. A typical Reps-From value for a
server looks like this:
0,112,16,1562,70F3248C5EC3D111A11800805F299FC3,PRO800
Fields in the value are delimited by commas. The last field is the
server name. The second-to-last field is the server's Invocation-ID.
In Administrator, you cannot usually see the entire string, but you can
use the horizontal scroll bar to view the end rather than the beginning
of the string.
When you find a match between the Invocation-ID listed here for a server
and the DSA-Signature you noted previously, you have found the server
that last changed the object.
To track who is making changes to objects from a given server:
- In Exchange Administrator, select the server of interest. TIP: If you
attach directly to this server by choosing Connect to Server from the
File menu, your changes take effect immediately. Otherwise, you must
wait for changes to replicate to the server.
- View the <Server> properties by choosing Properties on the File menu, or
pressing ALT+ENTER and then selecting the Diagnostics Logging property
tab.
- Select MSExchangeDS and turn Security logging to maximum.
- To view administrative accesses to Exchange objects from this server,
run the Event Viewer and select the Application log. Filter Events to
show only events from source MSExchangeDS with a category of Security.
Event 1053 will be logged when objects are changed, and the event will
record the logon ID that was used to make the change.
The following is an example of the description for such an event. This
event was logged when removing a user from a distribution list called
"test."
User: PRO\Administrator
Computer: PRO800
Event ID: 1053
Source: MSExchangeDS
Type: Information
Category: Security
Description: The security descriptor granted 0x2 access on object
/o=Microsoft/ou=PRO/cn=Recipients/cn=test for this user.
Additional query words:
delete DL mailbox
Keywords : kbusage XADM
Version : winnt:4.0,5.0,5.5
Platform : winnt
Issue type : kbhowto
Last Reviewed: May 13, 1999