Exchange Server is modifying GPOs in AD

ImedJrad-7062 40 Reputation points
2024-05-10T08:14:44.0433333+00:00

Hello Everyone,

in our SIEM, we are getting more than 300 incident a day that a GPO has been modified by the exchange server machine account and the Property Name: msExchMailboxAuditLastAdminAccess.

Can anyone please explain this incident, and give us tips on if we should ignore it or if we should some changes on Exchange or AD server.

Thanks

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,362 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,698 questions
{count} votes

Accepted answer
  1. Jake Zhang-MSFT 7,230 Reputation points Microsoft Vendor
    2024-05-23T09:49:38.72+00:00

    Hi @I-med,

    Thanks for your response.

    As Andy David said, mailbox auditing is enabled by default. 'msExchMailboxAuditLastAdminAccess' is the name of an Active Directory property. This property is used to record the last time an administrator accessed the Exchange mailbox. This value will change when the administrator accesses the mailbox. If it does not affect your normal use of Exchange Server, it is recommended that you ignore the change in this value.

    User's image

    Please feel free to contact me if you have any queries.

    Best,

    Jake Zhang

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 150K Reputation points MVP
    2024-05-10T11:01:48.0966667+00:00

    Mailbox Auditing is enabled by default so that is prob expected. What exactly is getting changed according the alerts?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.