This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 27%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI7%3C/text%3E%3C/svg%3E)
Hello Everyone,
in our SIEM, we are getting more than 300 incident a day that a GPO has been modified by the exchange server machine account and the Property Name: msExchMailboxAuditLastAdminAccess.
Can anyone please explain this incident, and give us tips on if we should ignore it or if we should some changes on Exchange or AD server.
Thanks
A robust email, calendaring, and collaboration platform developed by Microsoft, designed for enterprise-level communication and data management.Miscellaneous topics that do not fit into specific categories.
The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi @I-med,
Just circling back to check to see how things are going on with this thread. Should you need more help on this, you can feel free to post back.
Hello @Anonymous ,
thanks for asking, no the issue is still there
Answer accepted by question author
Hi @I-med,
Thanks for your response.
As Andy David said, mailbox auditing is enabled by default. 'msExchMailboxAuditLastAdminAccess' is the name of an Active Directory property. This property is used to record the last time an administrator accessed the Exchange mailbox. This value will change when the administrator accesses the mailbox. If it does not affect your normal use of Exchange Server, it is recommended that you ignore the change in this value.
Please feel free to contact me if you have any queries.
Best,
Jake Zhang
Hi @I-med,
Just wanted to check if the answer shared below helped. If it helped, then would request you to please "Accept the answer" as it would be helpful to others in the community as well. Thanks for your understanding.
Best,
Jake Zhang
Hi @I-med,
I would like to know if the problem has been solved. If you still have questions, please feel free to leave me a comment so that I can help you.
Best,
Jake Zhang
Mailbox Auditing is enabled by default so that is prob expected. What exactly is getting changed according the alerts?