Calendar access triggering security alert in Exchange 2003 RRS feed

  • Question

  • It's my understanding that viewing the calendar details of another user's mailbox in Exchange 2003 may trigger an Event ID of 1016, in the 'Logons' category.  Does this behavior vary depending on which Outlook client is being used (2003 vs. 2010 vs. 2013)?

    The referenced kb articles advise against using this event for auditing purposes, but this is event is only being logged by a few users, and if it's calendar access, you would expect more users to be triggering the event.  These users occasionally use Outlook 2003, whereas most of the company uses 2007 or above.  The theory is that the older client may trigger the event while newer clients don't.

    This event description is as follows: "Description: Windows 2000 User NT AUTHORITY\SYSTEM logged on to mailbox@domain.com mailbox, and is not the primary Windows 2000 account on this mailbox. "

    References: kb articles 867640 & 301328

    • Edited by JasonBudd Thursday, June 27, 2013 7:25 PM More relevant title
    Thursday, June 27, 2013 1:20 PM


  • Hi,

    I only explained this KB applied to those version, but it doesn't mean that it only occur on Outlook 2003 or Exchange 2003, in later version, maybe it has been changed or fixed, at present, you can refer to "properties ">>"applied to " in these article .

    Wendy Liu
    TechNet Community Support

    • Marked as answer by wendy_liu Sunday, July 7, 2013 3:10 PM
    Saturday, June 29, 2013 9:26 AM