07-08-2008, 10:48 PM
Join Date: Jul 2008
Post Thanks: 0
Thanked 0 Times in 0 Posts
Basically what I am seeing is the besadmin account may not touch say my account for 4 or 5 days, THEN all of a sudden I will see it access my account (and other managers) 3 or 4 times in one day. Let me add that when I do finally see it access my exchange account at no time that it accessed my account did I do a manual sync, access my calendar or do anything to my blackberry other than possibly unlock it (which I know has NO bearing on my exchange account.....).
As for IP's the only way to really track the IP access is to sync it up with the domain controller that the person logs into, but there is always a bit of a lag between when they log in and when they access something.
But here is the catch, you can "impersonate" another user when logging into an exchange server or someone's mail account. I will not go into the details, but you can log into your workstation as one user then access a mail account and show up as a TOTALLY different user in the logs and as long as you are an admin there is no audit trail.
Microsoft in their infinite wisdom figures that if you have admin priv that you belong there and there is NO audit trail to really track the activities of someone with admin priv other than 3rd party apps (I have been on the phone with MS for hours asking them if they really were serious about that statement and went thru both level 1 and level 2 of the exchange, active directory and security teams on this matter).