Re: Someone has meddled with email forwarding for 2 Active Directory users- how can I find out who?

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 12/31/04 

Date: Fri, 31 Dec 2004 01:30:52 GMT

Try enabling auditing of account management events in Domain Controller
Security policy if you have not tried that yet. I am not real familiar with
Exchange to know if that will help for sure. You also may want to post in an
Exchange newsgroup to see if there is any Exchange specific auditing that
may be enabled to track such. --- Steve

"Sw" <swilliams@cromwells.co.uk> wrote in message
news:1104324231.740476.62700@z14g2000cwz.googlegroups.com...
> We recently had what appears to be someone logging onto the Exchange
> 2000 server and setting any mail sent to two domain users to be also
> forwarded to an external recipient (Contact) that I had set up
> previously. This is the second time this has happened in 6 months, and
> meant the user whose Contact address this was, was getting mail
> destined for these 2 users- obviously a big security risk. Is there ANY
> way of finding out which domain user might have made the changes to the
> Active Directory objects for these users? Neither previously had any
> forwarding set up in Delivery Options.
>
>
> There doesn't seem to be anything in Event Viewer for this kind of
> change, and I can't see any way at all how Active Directory would
> choose to set up forwarding to an external recipient in this way.
> Furthermore this is the second time this has occurred and there appear
> to be patterns (personnel-wise) linking the two events. I'm almost
> completely certain that this is deliberate. I have been tasked with
> finding out who has done this as quickly as possible.
>
>
> This is extremely urgent, so any help anyone can give me would be much
> appreciated! Please reply to the thread or email me
> - swilliams at cromwells.co.uk. Thanks for your assistance.
>

Relevant Pages

  • Re: Urgently need help with Exchange 2000 / Active Directory security issue
    ... > We recently had what appears to be someone logging onto the Exchange ... > 2000 server and setting any mail sent to two domain users to be also ... > to the Active Directory objects for these users? ... > choose to set up forwarding to an external recipient in this way. ...
    (microsoft.public.security)
  • Urgently need help with Exchange 2000 / Active Directory security issue
    ... We recently had what appears to be someone logging onto the Exchange ... 2000 server and setting any mail sent to two domain users to be also ... Active Directory objects for these users? ... choose to set up forwarding to an external recipient in this way. ...
    (microsoft.public.security)
  • Re: Multiple Hosted Exchange instances
    ... Looking at http://support.microsoft.com/?kbid=822940 it is saying that the ... domain users from Company A will be able to see the name of the address list ... is there any way to prevent Company A from seeing the folder name as ... >>I have been told the best way to do this is to run two Hosted Exchange ...
    (microsoft.public.exchange2000.admin)
  • Read-only mailbox access, how to?
    ... I then added the Search role to Domain Users. ... as a domain user I am denied access. ... dialog in Exchange Admin doesn't even list the Search right! ... Jim Hatfield ...
    (microsoft.public.exchange.admin)
  • Re: How do I Give Power User rights to Exchange System Manager?
    ... If you are running Exchange through a smarthost you should have to be making any mods to Exchange regarding outgoing mail? ... called "Office Manager" which they can use to Remote into the Server, ... and add their domain to the Smart Host. ... needs to be added to the local security policy. ...
    (microsoft.public.windows.server.sbs)