Event Details
User Activity->Permission Changes->Active Directory Permission Changes->InTrust Plug-in for Active Directory->Common Active Directory Permission Changes->Protected change attempts->EventID 50 - Prevention of user mailbox access rights modification.
EventID 50 - Prevention of user mailbox access rights modification.
 Sample: 
Event Type:     Warning
Event Source:   ITAD Directory Changes
Event Category: None
Event ID:       50
Date:           10/30/2009
Time:           07:46:04
User:           NT AUTHORITY\SYSTEM
Computer:       DC1
Description:    
ChangeAuditor for Active Directory prevented modification of user mailbox access rights.
	Client Computer : 10.0.0.1
	User Object DN : CN=Daniel Krane,CN=Users,DC=research,DC=corp
	User Object GUID : {9DD9B58F-9548-4EE8-A852-7911C763BF7B}
	Action: ACE Modification
	Type: Permission Allow
	Trustee: NT AUTHORITY\SELF
	Trustee Type: Well Known Group
	Apply To: This object and subcontainers
	Old Rights: Full mailbox access, Send As, Read Permissions
	New Rights: Full mailbox access, Send As, Read Permissions, Take ownership
	Request ID : {C4220D64-6187-4000-9E9C-797FAF9333F0}
===========================
Description template:
===========================
ChangeAuditor for Active Directory prevented modification of user mailbox access rights.
   Client Computer : %13
   User Object DN : %1
   User Object GUID : %3
   Action: %4
   Type: %5
   Trustee: %6
   Trustee Type: %7
   Apply To: %8
   Old Rights: %10
   New Rights: %11
   Request ID : %12
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: InTrust for AD
Filtering Field Equals to Value
Source ITAD Directory Changes
EventId 50
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 1/1/2000
Who Account or user name under which the activity occured. User SomeUser
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Attempt to Change User Mailbox Rights" Attempt to Change User Mailbox Rights
Where The name of the workstation/server where the activity was logged. Computer 10.10.10.10
Where From The name of the workstation/server where the activity was initiated from. Client Computer 10.0.0.1
Severity Specify the seriousness of the event. "Medium" Medium
WhoDomain -
WhereDomain -
Object Type The type of object whose permissions were changed (e.g. AD object, file, registry, etc.) "mailbox" mailbox
Object Name The name of the object whose permissions were changed (e.g. full system path to the file or folder) Object DN CN=Daniel Krane,CN=Users,DC=research,DC=corp
To Whom Account whose access permissions to the object were changed Trustee NT AUTHORITY\SELF
Result Successful or Failed "Protected" Protected
Comments
You must be logged in to comment