RE: [ActiveDir] Public folder deletion audit(OT)

[Michael B. Smith]

Yes, you have to call PSS. It should be a free call.   Part of a PF deletion on Exchange 2000 involves the PF object being deleted from “Microsoft Exchange System Objects” in your A/D (the domain partition). Exchange 2003 handles it a bit differently.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, January 26, 2006 12:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Public folder deletion audit(OT)   So I have to call PSS to get this hotfix, I take it?   Also, the event id 565 that was logged for the public folder directory object deletion, is that because Exchange is cleaning up the object from AD after a user deleted it via mapi?   Thanks again.Sorry i couldn't wait for you to get out of your meeting :)   On 1/26/06, Michael B. Smith <[EMAIL PROTECTED]> wrote: You just posted there a little while ago. I was in a meeting. :-P   Exchange Server 2003 service pack 2 adds functionality to meet this need.   For earlier versions of Exchange, see   http://support.microsoft.com/kb/884863/   There might be third party stuff that does what you want, but I'm not aware of it.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Thursday, January 26, 2006 12:21 PM To: activedirectory Subject: [ActiveDir] Public folder deletion audit(OT)   Hey guys, I've tried googling this and posting on the Exchange list at webelists.com with no luck-   I'm running exchange 2k post sp3 rollup. I have "Directory Access" auditing enabled on the domain controllers ou.   This morning someone deleted a mail enabled public folder and the only event i get is this- Event Type: Success Audit Event Source: Security Event Category: Directory Service Access Event ID: 565 Date:  1/26/2006 Time:  8:08:10 AM User:  MYDOMAIN\MYDC$ Computer: MYDC Description: Object Open:   Object Server: DS   Object Type: publicFolder   Object Name: %{ececd715-14da-44bb-919b-0bf8ac8d07ca}   New Handle ID: 0   Operation ID: {0,2476766380}   Process ID: 304   Primary User Name: MYDC$   Primary Domain: MYDOMAIN   Primary Logon ID: (0x0,0x3E7)   Client User Name: MYEXCHANGESERVER$   Client Domain: MYDOMAIN   Client Logon ID: (0x0,0x93421897)   Accesses  DELETE       Privileges  -  Properties:   For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp .   MYDC is the dc the delete took place on and MYEXCHANGESERVER is the exchange server hosting this folder. However by reading the event, it looks like the Exchange server deleted the folder. I know thats not right. Is it that someone deleted the mapi folder through Outlook and then Exchange cleaned up the folder object from AD? If so, how can I audit the mapi public folder deletions?   Thanks a lot