Someone has meddled with email forwarding for 2 Active Directory users- how can I find out who?

Discussion in 'Security Software' started by Sw, Dec 29, 2004.

  1. Sw

    Sw Guest

    We recently had what appears to be someone logging onto the Exchange
    2000 server and setting any mail sent to two domain users to be also
    forwarded to an external recipient (Contact) that I had set up
    previously. This is the second time this has happened in 6 months, and
    meant the user whose Contact address this was, was getting mail
    destined for these 2 users- obviously a big security risk. Is there ANY
    way of finding out which domain user might have made the changes to the
    Active Directory objects for these users? Neither previously had any
    forwarding set up in Delivery Options.

    There doesn't seem to be anything in Event Viewer for this kind of
    change, and I can't see any way at all how Active Directory would
    choose to set up forwarding to an external recipient in this way.
    Furthermore this is the second time this has occurred and there appear
    to be patterns (personnel-wise) linking the two events. I'm almost
    completely certain that this is deliberate. I have been tasked with
    finding out who has done this as quickly as possible.

    This is extremely urgent, so any help anyone can give me would be much
    appreciated! Please reply to the thread or email me
    - swilliams at Thanks for your assistance.
    Sw, Dec 29, 2004
    1. Advertisements

  2. Try enabling auditing of account management events in Domain Controller
    Security policy if you have not tried that yet. I am not real familiar with
    Exchange to know if that will help for sure. You also may want to post in an
    Exchange newsgroup to see if there is any Exchange specific auditing that
    may be enabled to track such. --- Steve
    Steven L Umbach, Dec 31, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.