ms exchange 2000 server - need a readable usage log

O

[OUPA]MrNutz

Expert Member
Joined
Jan 21, 2005
Messages
1,791
Reaction score
14
Location
Vereeniging
Hi Friends

i have minimal experience with exchange - trying to help out someone.

company XYZ had an employee who was in a position of knowing the CEO's outlook username and password...so X did a setup on his desktop of his outlook for the CEO's profile

person X went on to tell my friend Y verbatim what a particular email contained , Y stripped his moer - breach of protocol - went to the CEO and person X got dismessed.

now X wants to protest - unfair dismissal - but we must prove somehow that indeed he did access the exchange server from a particular pc.

they use static ips , pc names ect..

i got a few lines on the web talking about a log parser for exchange - but can't find a software util /tool that can help me...don't even know where this raw log is - or what to do with it...

pretty pretty please with a cherry on the top help me!

thx
 
Check for a locally stored cache copy of the CEO's mailbox on computer X, under his own profile. If it is there he accessed the CEO's mailbox.
 
Try Sawmill. It's a universal log analyzer, supporting 737 log types (apparently). A trail version is available, so you might want to try it out, and see if it works.
 
negative on the profile under documents & settings...

its not a case of X logging on as the CEO...in windows

its logging in under outlook as CEO - with HIS own profile.

the PST/outlook files are hosted server side as per normal.

any ideas :)

the sawmill looks like it only works AFTERWARDS not analyzing previously stored logs.
 
I think what Franna was trying to say was.

If a cached copy of the CEO's mail exists under X's windows profile, then it is proof that the CEO's email was visited from X's windows profile, on that machine. A further point, go check his Outlook settings. He may still have the account set up in Outlook itself, and then you can check to see where the cache would be kept.
 
Check on X's computer:

C:\Documents and Settings\<USERX>\Local Settings\Application Data\Microsoft\Outlook\*.OST
 
Just a further question. Did X have access to CEO's PC at any stage. Did X have access to the Exchange server at any stage. If not, then it is merely a matter of proving he accessed it from his machine, which he was not allowed to do. However, if he so much as had some rights to access the Server or the CEO's machine, he could have accessed the mail that way. On the exchange server, he could set up forwarding etc. Or worse yet, if he could get the CEO's machine while he had Outlook open, then it's impossible to prove, as the company let him into the situation of viewing the CEO's email. For eg, my MD calls me to come show him how to cut and paste. He has important mail open. I read it. I divulge, (OK, apart from the confidentiality clause I signed), they cannot fire me, as I did not maliciously open the mail, as it was presented to me, inadvertently.

If X is just a dirty rat, who discovered the password somehow, and created the profile in Outlook, then he deserves to be fired, and expect him to fight dirty. Don't use Outlook myself, nor Exchange, so can't help on details of log structure etc. But good luck
 
On the server, do a search for *.log and sort by date modified. The log files might be set to overwrite each other, to save space, so you might not be able to find anything.
That should help you find the log files. I don't know what format they are, hopefully, like linux, you should be able to open it in notepad.
 
X is the head I.T manager . hences knows the domain admin username and password - thus all access he can organize and rig.

the thing is just that he disclosed his access of the CEO's email to the 2nd in command tech and this tech went directly to the CEO and <---- dismissed the head manager (X)....

so he basically sat with his laptop - logged in as his normal profile - but decided to do some huisgenoot reading in the CEO's outlook profile

so c:\doc&set\X is just his normal acc - which has no evidence...
all outlook info stored server side.

and yeah
bitch slap to them - as they don't have protocol on email access and so forth.

CEO's laptop is in a foreign language....but some of the communication happens in english..
 
Bit of a wild attempt here, but grab his Event Viewer logs. There may be something in there, from an authentication point of view. Maybe he logged into the profile with a wrong profile at some stage, and it logged it. It MAY help you. (Happens with Lotus Notes setup we have)
 
i'll let them look into that..

since its a foreign language windows XP - i don't think that the windows profile was of any use to him...

only the outlook

thx
 
Try the guys at msexchange.org - somebody might be able to help out there.

It's a sticky situation.

Good luck.
 
yeah because its a case of the CEO told him to take his things and go.

he wants to counter it...but CEO wants them to get concrete evidence to make his dismissal permanent...

so its a person's word vs (we all know u did it).

sigh

tks
 
If it can be proven that X did have an extra profile to access the CEO's mail then that might be possible to use as evidence.

Also, do check the mailbox rules on the CEO's Outlook as well to see if there is no "forwarding a copy" enabled.

On Exchange 2000 itself, check if the CEO's settings include to forward mails to other persons as well.

I've worked with Exchange 2003, so I doubt whether Exchange 2000 will have those features.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X