DOCUMENT:Q260835  09-AUG-2000  [exchange]
TITLE   :XADM: How to Log Mailbox Access by Computer Name
PRODUCT :Microsoft Exchange
PROD/VER:winnt:5.5
OPER/SYS:
KEYWORDS:exc55

======================================================================
-------------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Exchange Server, version 5.5 
-------------------------------------------------------------------------------

SUMMARY
=======

In some cases, there may be a need to discover which computer a user is using to
access a mailbox. You can obtain this information by using a combination of
Microsoft Windows NT auditing and Microsoft Exchange Server diagnostic logging.

MORE INFORMATION
================

The following sets of steps are performed in User Manager and the Exchange
Server Administrator program for the server being accessed by the user.

Use Windows NT auditing to determine which system a user logged on from; to do
so, follow these steps:

1. Start User Manager for Domains.

2. Click Audit on the Policies menu.

3. Click to select the Success check box in the "Logon and Logoff" category.
   Optionally, you may also select the Failure check box.

After you have completed these steps, Windows NT logs an event in the Security
Event Log for each successful logon attempt. The log appears similar to the
following example:

   Event Type:	Success Audit 
   Event Source:	Security 
   Event Category:	Logon/Logoff 
   Event ID:	528 
   Date:		4/25/2000 
   Time:		4:54:33 PM 
   User:		Domain\UserName 
   Computer:	ServerX 
   Description: 

   Successful Logon:
   User Name:	Administrator 

        Domain:		Domain 

 	Logon ID:		(0x0,0x3F0D6) 

 	Logon Type:	3 

 	Logon Process:	NtLmSsp 
 
 	Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 

 	Workstation Name:	ComputerX  

Use Exchange Server diagnostic logging to determine which user account was used
to log on to a particular mailbox; to do so, follow these steps:

1. Start the Exchange Server Administrator program.

2. Select the server where the mailboxes are homed.

3. Click Properties on the File menu.

4. Select the Diagnostics Logging tab.

5. In the Services pane, expand MSExchangeIS, and then select Private.

6. In the Category pane, click Logons, and then change the Logging level to
   Maximum.

7. Click OK.

After you have completed these steps, Exchange Server logs an event in the
Application Event Log for each successful logon attempt. The log is similar to
the following example:

   Event Type:     Success Audit 

   Event Source:   MSExchangeIS Private 

   Event Category: Logons 
 
   Event ID:       1009 

   Date:           4/25/2000 

   Time:           4:54:33 PM 

   User:           N/A 

   Computer:       ServerX 

   Description: 

   Domain\UserName logged on as
   /o=Organization/ou=Site/cn=Recipients/cn=Mailbox

Finally, to determine the computer used to access the mailbox, follow these
steps:

1. Find the event ID 1009 that is generated in the Application Event Log when
   the mailbox in question is accessed.

2. Note the time that the event ID 1009 is generated.

3. Find the event ID 528 generated in the Security Event Log with the same time
   as the event ID 1009 noted above.

4. Match event IDs 1009 and 528 by their common time of generation.

These matching event IDs reference the computer and the account (respectively)
used to access the mailbox.
For additional information about other auditing options available in Windows NT,
click the article number below to view the article in the Microsoft Knowledge
Base:

   Q175062 How To Determine from Which Computer a User Logged On

Additional query words:

======================================================================
Keywords          : exc55 
Technology        : kbExchangeSearch kbExchange550 kbZNotKeyword2
Version           : winnt:5.5
Issue type        : kbhowto

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 2000.