Re: Urgently need help with Exchange 2000 / Active Directory security issue

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 01/02/05 

Date: Sat, 1 Jan 2005 22:14:51 -0500

Sw wrote:
> We recently had what appears to be someone logging onto the Exchange
> 2000 server and setting any mail sent to two domain users to be also
> forwarded to an external recipient (Contact) that I had set up
> previously. This is the second time this has happened in 6 months, and
> meant the user whose Contact address this was, was getting mail
> destined for these 2 users- obviously a big security risk. Is there
> ANY way of finding out which domain user might have made the changes
> to the Active Directory objects for these users? Neither previously
> had any forwarding set up in Delivery Options.
>
>
> There doesn't seem to be anything in Event Viewer for this kind of
> change, and I can't see any way at all how Active Directory would
> choose to set up forwarding to an external recipient in this way.
> Furthermore this is the second time this has occurred and there appear
> to be patterns (personnel-wise) linking the two events. I'm almost
> completely certain that this is deliberate. I have been tasked with
> finding out who has done this as quickly as possible.
>
> I've set auditing in Active Directory but for Exchange options I think
> you need to set it within Exchange System Manager- but can't seem to
> see where auditing for this option is set.
>
>
> This is extremely urgent, so any help anyone can give me would be much
> appreciated! Please reply to the thread or email me
> - swilliams at cromwells.co.uk. Thanks for your assistance.

Replied in m.p.exchange2000.misc. Please don't multipost - if you need to
post to multiple groups, it's best to crosspost instead, by posting a single
message to a handful of relevant groups (separate the NG names with commas)
so that everyone can follow the thread. This makes it easier for everyone,
including you.

Relevant Pages