Share via

Exchange Server is modifying GPOs in AD

ImedJrad-7062 40 Reputation points
2024-05-10T08:14:44.0433333+00:00

Hello Everyone,

in our SIEM, we are getting more than 300 incident a day that a GPO has been modified by the exchange server machine account and the Property Name: msExchMailboxAuditLastAdminAccess.

Can anyone please explain this incident, and give us tips on if we should ignore it or if we should some changes on Exchange or AD server.

Thanks

Exchange | Exchange Server | Other
Exchange | Exchange Server | Management
Accepted answer
  1. Anonymous
    2024-05-23T09:49:38.72+00:00

    Hi @I-med,

    Thanks for your response.

    As Andy David said, mailbox auditing is enabled by default. 'msExchMailboxAuditLastAdminAccess' is the name of an Active Directory property. This property is used to record the last time an administrator accessed the Exchange mailbox. This value will change when the administrator accesses the mailbox. If it does not affect your normal use of Exchange Server, it is recommended that you ignore the change in this value.

    User's image

    Please feel free to contact me if you have any queries.

    Best,

    Jake Zhang

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2024-05-10T11:01:48.0966667+00:00

    Mailbox Auditing is enabled by default so that is prob expected. What exactly is getting changed according the alerts?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.