Event Details
Operating System->Microsoft Windows->Application logs->Quest->Change Auditor->Change Auditor for Exchange->Permissions change->EventID 200 - User modified folder permissions in another user's mailbox.
EventID 200 - User modified folder permissions in another user's mailbox.
 Sample: 
Event Type:     SuccessAudit
Event Source:   InTrust for Exchange
Event Category: Permissions change
Event ID:       200
Date:           11/9/2009
Time:           10:10:58
User:           RESEARCH\ALebovsky
Computer:       DC1
Description:    
User modified folder permissions in another user's mailbox:

	User Name: ALebovsky 

	User Domain: research.corp 

	User Displayname: Alex Lebovsky 

	Mailbox Name: Daniel Krane 

	Owner Name: DKrane 

	Owner Domain: research.corp 

	Mailbox legacyExchangeDN: /o=Research corp/ou=First Administrative Group/cn=Recipients/cn=DKrane 

	Client IP: 10.0.0.1 

	Folder Name: Calendar 

	Folder Path: / 

	To Account: RESEARCH\CBrown 

	New Permissions: 

		Create items: %N/A 

		Read items: %N/A 

		Create subfolders: %N/A 

		Folder owner: %N/A 

		Folder contact: %N/A 

		Folder visible: %N/A 

		Edit items: %N/A 

		Delete items: %N/A 

	Old Permissions: 

		Create items: %true 

		Read items: %true 

		Create subfolders: %false 

		Folder owner: %false 

		Folder contact: %false 

		Folder visible: %true 

		Edit items: %all 

		Delete items: %all
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: InTrust for Exchange
Filtering Field Equals to Value
Category ITEX:Permissions change
Source InTrust for Exchange
EventId 200
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category AttestationReview
User Name InsertionString1 ALebovsky
User Domain InsertionString2 research.corp
Mailbox Name InsertionString3 Daniel Krane
Mailbox legacyExchangeDN InsertionString6 /o=Research corp/ou=First Administrative Group/cn=Recipients/cn=DKrane
Client IP InsertionString8 10.0.0.1
User Displayname InsertionString7 Alex Lebovsky
Owner Name InsertionString4 DKrane
Owner Domain InsertionString5 research.corp
Folder Name InsertionString10 Calendar
Folder Path InsertionString12 /
To Account InsertionString13 RESEARCH\CBrown
Old Permissions: Create items InsertionString24 %true
Old Permissions: Read items InsertionString25 %true
Old Permissions: Create subfolders InsertionString26 %false
Old Permissions: Folder owner InsertionString27 %false
Old Permissions: Folder contact InsertionString28 %false
Old Permissions: Folder visible InsertionString29 %true
Old Permissions: Edit items InsertionString30 %all
Old Permissions: Delete items InsertionString31 %all
New Permissions: Create items InsertionString14 %true
New Permissions: Read items InsertionString15 %true
New Permissions: Create subfolders InsertionString16 %false
New Permissions: Folder owner InsertionString17 %false
New Permissions: Folder contact InsertionString18 %false
New Permissions: Folder visible InsertionString19 %true
New Permissions: Edit items InsertionString20 %all
New Permissions: Delete items InsertionString21 %all
Comments
You must be logged in to comment