Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1016 Source: MSExchangeISMailboxStore

<user name> logged on to <mailbox name> mailbox, and is not the primary Windows 2000 account on this mailbox.
ME839862 provides information on troubleshooting the RPC Cancel Request dialog box in Outlook 2003 or in Outlook 2002. It has information that might prove useful in troubleshooting this event.

Read McAfee solution nai30262 for information on McAfee GroupShield 5.0.2 for Microsoft Exchange 5.5. Go to the McAfee Knowledge Search page and search for this solution to read it.
As per Microsoft: "This behavior occurs as a result of the security auditing features of Exchange 2000. When a user who is not the primary account associated with a particular mailbox logs on to that mailbox, this event is logged to prevent unauthorized users from accessing private mailbox data". See ME278000 for details on this event.

See ME867640 and MSEX2KDB for additional information about this event.
It is important to analyze the actual user names displayed in the event and see if any Exchange operation would somehow authorize them to login to that mailbox (i.e. accounts used by backup services, assistants logging in to their bosses schedule, antivirus, etc...). However, this event may as well indicate that someone unauthorized managed to access that mailbox.

As per ME173692, this event may be generated in the Application Event log when you attempt to access another user's mailbox or schedule.

From newsgroup posts:
- "This will also occurr if anyone browses your free/busy information, etc. A whole lot of benign things will generate that message."
- "You may have email anti virus software which scans your mailbox, or backup software, each would require to access your mailbox using the associated service accout whic will have rights to open all mailboxes."

If the account that is logging in the SYSTEM (i.e. Windows 2000 User NT AUTHORITY\SYSTEM) then it could be that you have just installed Exchange or you started the Exchange information store with new blank databases. See ME252543.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.