Am trying to find a way to audit what mailboxes have been exported via Exchange Management Shell.   Looking at Search-AdminAuditLog and find where I can audit when the "New-MailboxExportRequest" command has been run, but not finding a way to determine which mailbox was exported.  Is there a way?

Or maybe a better question to ask, are the commands that admins. enter logged directly anywhere?  If I enter "New-MailboxExportRequest -mailbox user@mydomain.com -filepath \\myshare\user.pst"    Is that exact information logged anywhere?

Appreciate the respons

Hi,

We can only use Get-MailboxExportRequest or Get-MailboxExportRequestStatistic to view the detailed status of export request.

https://technet.microsoft.com/en-us/library/ff607479%28v=exchg.150%29.aspx

Best Regards.

I assume, You can enable auditing by following the steps given into this informative PDF guide and it might helps you to get some insight reports when it comes to audit, when the mailbox exported/copied as well : http://www.lepide.com/guide/enabling-exchange-2010-mailbox-auditing.pdf

Hi ,

Please use the Search-AdminAuditLog command along with "showdetails" parameter and that will provide you more information for your query .

Thanks Lynn-Li but the mailboxexportrequests are removed shortly after they are completed and the information is then lost.

Looking into this to see if this gives me the information, I did not think to use the mailbox audit logs.  Thank you.

So using the mailbox audit logs shows when LogonUserSID S-1-5-18 accesses the mailbox, the Operation is FolderBind, the logon type is Admin, the client IP address is ::1, and the ClientProcessName is MSExchangeMailboxReplication.exe....   Hmm, not sure if this is the mailbox export request or not...

Anyone have any experience with this?