Just verified we do not have object access auditing enabled in the domain controller policy, although it is enabled on the default computer policy. This issue is compounded by the fact that the user in question exists in a different domain that is managed by a different IS group - and I can't get to their tracking logs. We are both in child domains of a root domain. I can ask their guys to verify, but I think you provided me with the information I needed to know - sounds like in order to track those types of changes, we would have to enable object access auditing.
Thanks, James Winzenz Infrastructure Systems Engineer II - Security Pulte Homes Information Services ________________________________ From: Michael B. Smith [mailto:mich...@theessentialexchange.com] Sent: Monday, February 23, 2009 4:34 PM To: MS-Exchange Admin Issues Subject: RE: question about modifying allowed senders to a distribution list It's far too late. You would have to have object auditing enabled in your AD. Even though the attribute is an exchange-related attribute, it is stored in AD and obeys AD auditing principles. That being said, do your message tracking logs agree with the user that she was able to send to the list as of last Thursday? That would be where I would start my investigation. From: James Winzenz [mailto:james.winz...@pulte.com] Sent: Monday, February 23, 2009 5:28 PM To: MS-Exchange Admin Issues Subject: question about modifying allowed senders to a distribution list Good afternoon all, We recently had an issue where a user was removed from being able to send TO a distribution list that has been configured to only accept messages from certain indivduals on the Exchange General tab. Environment is Exchange 2003 SP2. In ADUC, the object tab in the properties of the distribution list shows that it was last modified on 2/2. Yet the individual in question indicated he was able to send to the distribution list as recently as last Thursday (2/19). There do not appear to be any security logs pertaining to this change generated by any of our DC's (which I didn't really expect, since this was an exchange property that was modified). My question is this - is this something that would be logged somewhere within Exchange? If so, would I need to have logging levels turned way up to find it (if so, too late)? Sorry, I always have the weird questions - please let me know if more details are needed. I have checked google, my googlefu is weak today . . . Thanks, James Winzenz Infrastructure Systems Engineer II - Security Pulte Homes Information Services Telefax: (602) 797-5823 CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
<<image001.jpg>>