Microsoft KB Archive/810929

= XADM: Security Events Do Not Specify Audited Actions =

Article ID: 810929

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Enterprise Server
 * Microsoft Exchange 2000 Server Standard Edition

-



SYMPTOMS
When you configure security auditing on public folders that are in your Exchange 2000 Server organization, Security events that are related to public folder access may not appear as you expect.

When you view the events in the Security log of the Event Viewer, entries appear that indicate that an auditable event has occurred, but you receive no indication about what particular event occurred. You notice events that are similar to the following: Date:    date          Source:   Security Time:    time          Category: Object Access Type:    Success       Event ID: 565 User:    Example\Administrator Computer: Servername

Description: Object Open: Object Server:       Microsoft Exchange Object Type:         Microsoft Exchange Database Object Name:         [Public Folders]/foldername New Handle ID:       0 Operation ID:        {0,4311375} Process ID:          2172 Primary User Name:   SERVERNAME$ Primary Domain:      EXAMPLE Primary Logon ID:    (0x0,0x3E7) Client User Name:    Administrator Client Domain:       EXAMPLE Client Logon ID:     (0x0,0x2E78E) Accesses             Unknown specific access (bit 8)

Privileges           -

Properties: Unknown specific access (bit 8) Modify public folder replica list Administer information store %{d74a8774-2289-11d3-aa62-00c04f8eedd8} Mail-enable public folder Modify public folder deleted item retention Modify public folder expiry Modify public folder quotas View information store status Create top level public folder Create public folder Create named properties in the information store Modify public folder ACL Modify public folder admin ACL

You may not be able determine the specific action that triggers the Security event. Additionally, if changes are made to the public folder by using Outlook Web Access (OWA), no Security events are logged.



CAUSE
This problem occurs because the operation that is performed on the public folder is not logged together with the success or failure audit. As of December 2002, there is no way to turn up logging or auditing to enable this feature.



WORKAROUND
To work around this problem:  Create a synchronous event sink that logs the actions as they occur. Create a modified workflow program. For additional information about Workflow Designer for Exchange 2000 Server, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms876488.aspx





STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
For additional information about how to configure auditing, click the following article number to view the article in the Microsoft Knowledge Base:

314955 HOW TO: Audit Active Directory Objects in Windows 2000

Keywords: kbbug kbprb KB810929

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.