Security Log and Application log saying different things

Security Log and Application log saying different things

Post by JCoyn » Sun, 23 Jan 2000 04:00:00



I have enable auditing for successful / failed Logon / logoff on my exchange
server. When ever someone gets there mail there are 2 entries in the
security log that indicate that they logged on and logged off, but when I go
to the application log it says that the administrator logged into the users
account and the administrator is not the primary user of that account. Iam
the administrator and Iam logged into the console when this happens, but I
never accessed there mailbox. What is this and how do I explain this to my
boss?? I don't want him thinking I spend all day reading everyones
e-mail............

 
 
 

Security Log and Application log saying different things

Post by Kirill S. Palagi » Sun, 23 Jan 2000 04:00:00



> I have enable auditing for successful / failed Logon / logoff on my exchange
> server. When ever someone gets there mail there are 2 entries in the
> security log that indicate that they logged on and logged off,

"logged on" to where?

Quote:> but when I go
> to the application log it says that the administrator logged into the users
> account and the administrator is not the primary user of that account. Iam
> the administrator and Iam logged into the console when this happens, but I

--
If you feel that anything in my post needs correction - feel free to do so (in
group).

Kirill S. Palagin

 
 
 

Security Log and Application log saying different things

Post by msnews.microsoft.co » Sun, 23 Jan 2000 04:00:00


Iam logged in to the console ( sitting in front of the server )
The users are logging into an exchange pop3 account. There *not* logging
into the domain with a microsoft client........They log into the novell side
of the network and only access the exchange server thru pop3




> > I have enable auditing for successful / failed Logon / logoff on my
exchange
> > server. When ever someone gets there mail there are 2 entries in the
> > security log that indicate that they logged on and logged off,

> "logged on" to where?

> > but when I go
> > to the application log it says that the administrator logged into the
users
> > account and the administrator is not the primary user of that account.
Iam
> > the administrator and Iam logged into the console when this happens, but
I

> --
> If you feel that anything in my post needs correction - feel free to do so
(in
> group).

> Kirill S. Palagin

 
 
 

Security Log and Application log saying different things

Post by msnews.microsoft.co » Sun, 23 Jan 2000 04:00:00


Iam logged in to the console ( sitting in front of the server )
The users are logging into an exchange pop3 account. There *not* logging
into the domain with a microsoft client........They log into the novell side
of the network and only access the exchange server thru pop3




> > I have enable auditing for successful / failed Logon / logoff on my
exchange
> > server. When ever someone gets there mail there are 2 entries in the
> > security log that indicate that they logged on and logged off,

> "logged on" to where?

> > but when I go
> > to the application log it says that the administrator logged into the
users
> > account and the administrator is not the primary user of that account.
Iam
> > the administrator and Iam logged into the console when this happens, but
I

> --
> If you feel that anything in my post needs correction - feel free to do so
(in
> group).

> Kirill S. Palagin

 
 
 

Security Log and Application log saying different things

Post by Kirill S. Palagi » Sun, 23 Jan 2000 04:00:00


You are saying
Quote:> > I have enable auditing for successful / failed Logon / logoff on my
exchange
> > server. When ever someone gets there mail there are 2 entries in the
> > security log that indicate that they logged on and logged off,

These are logons/logoffs to NT domain.

Then

Quote:> > to the application log it says that the administrator logged into the
users
> > account and the administrator is not the primary user of that account.
Iam
> > the administrator and Iam logged into the console when this happens, but

I
Those logons to mailbox.


> Iam logged in to the console ( sitting in front of the server )
> The users are logging into an exchange pop3 account. There *not* logging
> into the domain with a microsoft client........They log into the novell side
> of the network and only access the exchange server thru pop3




> > > I have enable auditing for successful / failed Logon / logoff on my
> exchange
> > > server. When ever someone gets there mail there are 2 entries in the
> > > security log that indicate that they logged on and logged off,

> > "logged on" to where?

> > > but when I go
> > > to the application log it says that the administrator logged into the
> users
> > > account and the administrator is not the primary user of that account.
> Iam
> > > the administrator and Iam logged into the console when this happens, but
> I

> > --
> > If you feel that anything in my post needs correction - feel free to do so
> (in
> > group).

> > Kirill S. Palagin

--
If you feel that anything in my post needs correction - feel free to do so (in
group).

Kirill S. Palagin

 
 
 

Security Log and Application log saying different things

Post by msnews.microsoft.co » Sun, 23 Jan 2000 04:00:00


Ok..........but why does it say that the administrator logged into the
mailbox, when the administrator didn't. There Domain user is logging into
there mailbox. why doesn't it say that? Does this have anything to do with
the fact that they don't use microsoft network client? There only using
outlook98 and connecting thru a pop3 account.
 
 
 

Security Log and Application log saying different things

Post by Kirill S. Palagi » Sun, 23 Jan 2000 04:00:00


What makes you think that those events are related to each other?


> Ok..........but why does it say that the administrator logged into the
> mailbox, when the administrator didn't. There Domain user is logging into
> there mailbox. why doesn't it say that? Does this have anything to do with
> the fact that they don't use microsoft network client? There only using
> outlook98 and connecting thru a pop3 account.

--
If you feel that anything in my post needs correction - feel free to do so (in
group).

Kirill S. Palagin

 
 
 

Security Log and Application log saying different things

Post by Rich Matheisen [MVP » Sun, 23 Jan 2000 04:00:00



>I have enable auditing for successful / failed Logon / logoff on my exchange
>server. When ever someone gets there mail there are 2 entries in the
>security log that indicate that they logged on and logged off, but when I go
>to the application log it says that the administrator logged into the users
>account and the administrator is not the primary user of that account. Iam
>the administrator and Iam logged into the console when this happens, but I
>never accessed there mailbox. What is this and how do I explain this to my
>boss?? I don't want him thinking I spend all day reading everyones
>e-mail............

Are you running any Anti-Virus software that uses MAPI? Is it running
in the security context of the administrator account?

------------------
Rich Matheisen
MCSE, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm

 
 
 

Security Log and Application log saying different things

Post by JCoyn » Mon, 24 Jan 2000 04:00:00


Yes....after reading your post and doing a little investigation, I did
discover that groupsheild was using the administrator account and checking
for viruses. Thank you for the help Rich. Kirill do everyone a favor and
don't respond to a post unless your going to provide valid information or
want to make a point.
Quote:> Are you running any Anti-Virus software that uses MAPI? Is it running
> in the security context of the administrator account?

> ------------------
> Rich Matheisen
> MCSE, Exchange MVP
> MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm

 
 
 

1. Strange security message in Application Log

We are incorrectly receiving the following Success Audit message in the App
Log:

Event ID: 1016
Source: MSExchangeIS Private
Type: Success Audit
Category: Logons
Description:
NT User SHELLEY\user1 logged on to USER TWO mailbox, and is not the primary
Windows NT account on this mailbox.

I know this is a normal message when user1 has permissions and accesses the
user2 mailbox. (Yes, I have read Q173692, Q244305, Q147354, Q239081)   The
problem is that, in the case at hand, USER1 DOES NOT HAVE PERMISSIONS to the
USER2 mailbox!!!  And for the record, USER1 is *NOT* the Exchange Service
account.

I expect to see this message when Exchange Service account is busy doing its
thing -- and I do.  And I expect to see this message when User8 gives User9
permissions to the User8 Mailbox -- and I do.

But in this case, the permissions have definitly not been granted, and the
USER1 claims they are not even attempting to access the USER2 mailbox -- and
yet the system is logging that they are.

Any ideas?  Corrupt user profile?  Corrupt IS?  Any help would be
appreciated!

Peter Mosier, PEng.

2. Anyone use 2 or more Anti-Virus addins to exchange

3. After new installation of Exchange 5.5, Application log continues to run full with security violations

4. Send email through smtp connector

5. EXCHANGE EVENT LOG & APPLICATION LOG ERROR

6. Mailbox not in distribution list but receiving emails

7. Need help connecting 2 sites over the internet

8. Application Log Full because of IMS log messages.

9. MSExchaneIS Warning logged in Application log

10. Event ID 1000 Is Logged in the Application Event Log

11. Security Log - No logging

12. No events being logged in security log