Hi all,

I understand from this article (http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/administrator-audit-logging-part1.html) that these admin audit logs are stored under a mailbox. Does this still applies to Exchange 2013?

If so is there any command to run via powershell to check which mailbox is actually storing these information?

Also if I wish to create a user in exchange that does nothing besides generating these admin audit report, what type of permission do I need to assign besides "View-only administrator audit logging"? https://technet.microsoft.com/en-us/library/ff459243%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

Thanks!

Zack

Hi ,

Based on my knowledge Admin audit logs was stored on the Arbitration mailbox (SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}) under the folder "AdminAuditLogs"

Please use the below mentioned command to find out folders .

Get-MailboxFolderStatistics -Identity "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" | ft name,identity,*size* -au

By default the following role groups has the permissions to search the admin audit logs .

Organization Management
Compliance Management
Records Management

In case if we wanted to have the administrator with specific scope only on search and report about Admin audit logs then we need to create the customized RABC groups.

If so is there any command to run via powershell to check which mailbox is actually storing these information?

Hi

The Microsoft Exchange system mailbox is an arbitration mailbox used to store organization-wide data such as administrator audit logs, metadata for eDiscovery searches, and Unified Messaging data, such as menus, dial plans, and custom greetings. The Microsoft Exchange system mailbox is named SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}; the display name is Microsoft Exchange.

Refer from:

https://technet.microsoft.com/en-us/library/dn249849(v=exchg.150).aspx

Best Regards.