Exchange Server is modifying GPOs in AD

ImedJrad-7062 40 Reputation points
2024-05-10T08:14:44.0433333+00:00

Hello Everyone,

in our SIEM, we are getting more than 300 incident a day that a GPO has been modified by the exchange server machine account and the Property Name: msExchMailboxAuditLastAdminAccess.

Can anyone please explain this incident, and give us tips on if we should ignore it or if we should some changes on Exchange or AD server.

Thanks

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,169 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,465 questions
Accepted answer
  1. Jake Zhang-MSFT 2,635 Reputation points Microsoft Vendor
    2024-05-23T09:49:38.72+00:00

    Hi @I-med,

    Thanks for your response.

    As Andy David said, mailbox auditing is enabled by default. 'msExchMailboxAuditLastAdminAccess' is the name of an Active Directory property. This property is used to record the last time an administrator accessed the Exchange mailbox. This value will change when the administrator accesses the mailbox. If it does not affect your normal use of Exchange Server, it is recommended that you ignore the change in this value.

    User's image

    Please feel free to contact me if you have any queries.

    Best,

    Jake Zhang

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 144.2K Reputation points MVP
    2024-05-10T11:01:48.0966667+00:00

    Mailbox Auditing is enabled by default so that is prob expected. What exactly is getting changed according the alerts?