AuditEnabled & What does it give me?
We have some suspicions at one of our locations of a lanadmin taking advantage of their access rights and accessing mailboxes that they should not access.
I enabled Auditing on 3 mailboxes and when i run the commands it doesn't appear to be giving me any output.
Is there anything i can run that would tell my HR department the information they are looking for?
They really would like to know if its possible to find out what is being accessed when it shows that person logged into their account. Is it just her viewing their calendar or is it their inbox being viewed?
Is this possible to find out?
Any help would be very greatly appreciated.
Jessica Cochran
April 19th, 2012 2:22pm
I executed this command: New-MailboxAuditLogSearch -Mailboxes mprask -LogonTypes Owner ShowDetails
-StartDate 4/12/2011 -EndDate 5/12/2011
with our criteria and the command completes without error but I do not receive an email at all.
Jessica Cochran
Free Windows Admin Tool Kit Click here and download it now
April 19th, 2012 3:12pm
What version of Exchange? What commands did you run to search?
This example retrieves mailbox audit log entries for Ken Kwok's mailbox for actions performed by administrators and user delegates between 1/1/2010 and 12/31/2010. A maximum of 2,000 log entries are returned.
Search-MailboxAuditLog -Identity kwok -LogonTypes Admin,Delegate -StartDate 1/1/2010 -EndDate 12/31/2010 -ResultSize 2000James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL
April 19th, 2012 3:17pm
I tried the below command with our criteria in it
New-MailboxAuditLogSearch -Mailboxes
mprask -LogonTypes Owner ShowDetails -StartDate 4/12/2011 -EndDate 5/12/2011
it sent me a report about 15 minutes later but the report was empty... i turned on some of the diagnostic logging within Exchange and it shows up in the Application Log on the Exchange Server in question, but nothing shows up in the Report that i receive...
Even though I have tried to test it with my admin account and one of the accounts i tried.
also have tried the command you suggest and it completes without error but I do not see any results for that either.
Not sure what to do
Jessica Cochran
Free Windows Admin Tool Kit Click here and download it now
April 19th, 2012 3:25pm
We are on Exchange 2010 SP1 RU 6Jessica Cochran
April 19th, 2012 3:34pm
We have some suspicions at one of our locations of a lanadmin taking advantage of their access rights and accessing mailboxes that they should not access.
Hi Jessica,
How did you assign the access rights to the lanadmin?
Please run the cmdlet Get-Mailbox mailboxname | fl *audit* and post the result here.
When you enable mailbox audit logging for a mailbox, access to the mailbox and certain administrator and delegate actions are logged by default. To log actions taken by the mailbox owner, you must specify which owner actions should be audited.
For more information, please see:
Understanding Mailbox Audit Logging Wang
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2012 2:28am
This is what we ran to assign their permissions
Get-MailboxDatabase Identity neoexch01 | Add-ADPermission user LZB\Neosho_Exchange AccessRights GenericAll
Here are the results of the command you requested:
[PS] C:\Windows\system32>Get-Mailbox bsnow | fl *audit*
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {FolderBind, MessageBind}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner : {}
Jessica Cochran
April 23rd, 2012 9:51am
Hi Jessica,
Please run the cmdlet Set-Mailbox bsnow -AuditDelegate Update, SoftDelete, HardDelete, SendAs, Create,FolderBind,MoveToDeletedItems
then search the log again.
By the way, you can also run the following cmdlet to performs a synchronous search of mailbox audit logs:
Search-MailboxAuditLog bsnow -showdetails
Please do it again a test mailbox and audit a "Delete" operation to test first.Frank Wang
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2012 12:25am
This is exactly what I needed, I added | export-csv c:\location\file.txt to the end so i could import into Excel for easier viewing.
Thank you very muchJessica Cochran
April 25th, 2012 9:29am