XADM: Security Events Do Not Specify Audited Actions (810929)


The information in this article applies to:

  • Microsoft Exchange 2000 Enterprise Server
  • Microsoft Exchange 2000 Server

SYMPTOMS

When you configure security auditing on public folders that are in your Exchange 2000 Server organization, Security events that are related to public folder access may not appear as you expect.

When you view the events in the Security log of the Event Viewer, entries appear that indicate that an auditable event has occurred, but you receive no indication about what particular event occurred. You notice events that are similar to the following: 
Date:     date          Source:   Security
Time:     time          Category: Object Access
Type:     Success       Event ID: 565
User:     Example\Administrator
Computer: Servername

Description:
Object Open:
         Object Server:        Microsoft Exchange
         Object Type:          Microsoft Exchange Database
         Object Name:          [Public Folders]/foldername
         New Handle ID:        0
         Operation ID:         {0,4311375}
         Process ID:           2172
         Primary User Name:    SERVERNAME$
         Primary Domain:       EXAMPLE
         Primary Logon ID:     (0x0,0x3E7)
         Client User Name:     Administrator
         Client Domain:        EXAMPLE
         Client Logon ID:      (0x0,0x2E78E) 
         Accesses              Unknown specific access (bit 8)

         Privileges            -


 Properties:
Unknown specific access (bit 8)
                  Modify public folder replica list
                  Administer information store
                  %{d74a8774-2289-11d3-aa62-00c04f8eedd8} 
                  Mail-enable public folder
                  Modify public folder deleted item retention
                  Modify public folder expiry
                  Modify public folder quotas
                  View information store status
                  Create top level public folder
                  Create public folder
                  Create named properties in the information store
                  Modify public folder ACL
                  Modify public folder admin ACL


You may not be able determine the specific action that triggers the Security event. Additionally, if changes are made to the public folder by using Outlook Web Access (OWA), no Security events are logged.

CAUSE

This problem occurs because the operation that is performed on the public folder is not logged together with the success or failure audit. As of December 2002, there is no way to turn up logging or auditing to enable this feature.

WORKAROUND

To work around this problem:

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

For additional information about how to configure auditing, click the following article number to view the article in the Microsoft Knowledge Base:

314955 HOW TO: Audit Active Directory Objects in Windows 2000

Modification Type:MinorLast Reviewed:6/13/2003
Keywords:kbBug kbprb KB810929
©2002 Microsoft Corporation. All rights reserved.