Large number of alerts for HealthMailboxXX and S-1-5-21-XXXX-XXXX-XXX-XXX attempt was made to reset an accounts password

KjstechO365 81 Reputation points
2021-01-20T16:48:44.293+00:00

Our log management tool just blasted out a ton of emails things like HealthMailboxbb89541, S-1-5-21-57989841-448539723-XXXXXXXXX-XXXX, etc.... event code 4724 from security, audit success, an attempt was made to reset an account's paswsowrd, account name MAIL01$.

In all these alerts the HealthMailboxbb has different numbers at the end, and we are also seeing dest_user like SM_3635897e3b604610a etc and others, and this is coming in multiple emails from each of our 3 DC's.

Now our CIO is worried and he is asking if anybody is doing something. I'm thinking this is general exchange account maintenance, like a mechanism built in to keep the account credentials rolling for security purposes. What should I tell him?
Thanks!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,974 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,386 questions
{count} votes

Accepted answer
  1. Andy David - MVP 142.7K Reputation points MVP
    2021-01-20T16:52:07.333+00:00

    Could be normal, but hard to know from here.
    If there are any concerns, I would simply recreate the montoring mailboxes per this article:
    Exchange will handle the resets:

    https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-2013-2016-monitoring-mailboxes/ba-p/611004

    Password resets
    HM Worker is responsible for maintaining the password for Monitoring mailboxes. HM worker uses a complex algorithm to generate password to be used for monitoring mailbox. The password for monitoring mailbox is reset under the following conditions:
    A new health mailbox is being created
    Each time HM Worker process starts and is not able to retrieve the existing password for the monitoring mailbox
    Any other scenario where HM Worker is not able to get hold of existing password for the monitoring mailbox
    Best practices
    Here are some best practices regarding management of user accounts associated with monitoring mailboxes as well as mailboxes themselves:
    Do not apply third party customized password policies to user accounts of monitoring mailboxes
    Exclude monitoring mailboxes from user account lockout policies
    Do not move the user accounts out from the Monitoring Mailboxes container
    Do not change the user account properties, like restricting password change etc.
    Do not change AD permission inheritance
    Since HM worker handles password resets for monitoring mailboxes, in a large environment, it is normal to see increased password reset traffic for monitoring mailbox accounts; note that doing one of the things above might increase the frequency of those resets
    Do not move the monitoring mailboxes between mailbox databases
    Do not apply mailbox quotas to monitoring mailboxes
    If applying a retention policy, ensure the data within the monitoring mailbox is retained for a minimum of 30 days before being deleted

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful