Hi

How can I audit exchange server edge transport rule? especially I want to know when the rule created (time and date), who create that rule and so on

thanks

First, I do not have an Edge server to test this but on a Hub Transport server, the creation of a Transport Rule should result in the addition of an entry in the MSExchange Management Event Viewer log. You can see creation time but user is not shown by default (not sure if this can be shown with higher logging level - cannot test that right now):

3rd party tools could audit this as well, but if you have just native Exchange that would not help much.

You can also use 'Search-AdminAuditLog -cmdlets "New-Transportrule"' if you have it enabled form one of your exchange servers.

Hi Kenpubish,

Thank you for your question.

By my research, I am sorry that we could not meet you requirement, because we could not enable audit transport rule, we just check the last changed time by  the following link:

Get-TransportRule <rule name> | FL

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Hi David

thanks for your reply

But the problem is i don't know exactly in which year 2013,2014 or 2015 the rule was created. How can I search from the event viewer? For how long time does Microsoft servers will keep the logs?

Best regards

Hi Jim

Thanks for your reply

The rule was blind carbon copy which will send emails going in and out from our exchange to someone we don't know. so when we get that rule immediately disable that rule. After that we want to know at which specific time the rule was created and who create that rule. So the cmdlet Get-TransportRule <rule name> | FL will tell us last change which is when we disable it. No solution to find the initial time?

Best regards

Kenubish

sure there is with powershell there's always a way :-)

$DN=(Get-TransportRule <name of rule>).distinguishedname

repadmin /showobjmeta <name of a domain controller> $DN