Administrator Audit Logging In Exchange 2010…

by Rajith Jose Enchiparambil on February 17, 2010

Pin It

Exchange 2010 brings a new feature to the table, to audit all actions performed by users & administrators in your messaging environment. All actions performed, irrespective of whether they are done in Console, Shell or ECP will be logged. The “Get” cmdlets won’t be logged, as it is unnecessary and will generate a large number of log files on a daily basis. This option gives your Manager (who may not be technical) the facility to trace back who performed what & when.

The following actions need to be completed before the feature becomes available. The cmdlet we use for most of these settings is Set-AdminAuditLogConfig.

  1. Configure a dedicated mailbox for storing all audit logs. Whenever an action is audited, full information is logged & sent as an email to this mailbox. Access to this mailbox has to be tightly controlled.
  2. The auditing feature needs to be enabled.
  3. Configure the audit agent to send logs to audit mailbox.
  4. The cmdlets to be audited needs to be configured, if you don’t want to audit everything.
  5. The parameters to be audited needs to be configured.

First step can be easily accomplished by creating a mailbox with a suitable name (say “Audit Mailbox”) and restrict access.

Admin auditing is disabled by default. Run Get-AdminAuditLogConfig | fl to confirm.

Admin Logging False

In order to enable auditing, run the following cmdlet.

Set-AdminAuditLogConfig –AdminAuditLogEnabled $true

Admin Logging True

Run the following cmdlet to configure the auditing agent to send logs to “Audit Mailbox”

Set-AdminAuditLogConfig –AdminAuditlogMailbox “AuditMailbox@Hew10.local

Set Mailbox For Logging

You can audit the cmdlets of your choice. For example, in order to audit any changes made to mailbox & transport features, we can use the wildcards *mailbox* and *transport*. Run the cmdlet below to audit just these cmdlets.

Set-AdminAuditLogConfig –AdminAuditLogCmdlets *mailbox*, *transport*

Set Cmdlets For Logging

In the same way, you can select the parameters of your choice. Run the cmdlet below to audit the parameters database and server,

Set-AdminAuditLogConfig –AdminAuditLogParameters database, server

Set Parameters For Logging

For demonstration of admin logging feature, I have created a new mailbox named “Audit Test”.

Audit Test Mailbox

Logging into the “Audit Mailbox” using OWA shows me a new email with detailed information on the task (creating the mailbox) that I had completed.

Email

The subject of the email specifies the user account used to run the cmdlet & the cmdlet that was executed.

Details1

The Run Date in the email shows the date & time when the cmdlet was run. The log also shows whether the cmdlet was executed successfully.

Details2

Next time you do something, beware! The auditing might be enabled!

SUBSCRIBE FOR DAILY ARTICLE UPDATES VIA EMAIL
Get the published articles delivered straight to your inbox. Your details will not be passed to any third party company.

Exchange Architect, Blogger, Husband & Dad. I have been in IT for the last 11 years, with Exchange Server becoming the prime area in the last few years. I am active on TechNet forums & Experts Exchange.

View all contributions by

  • How To Find Which Store Worker Process Is Responsible For A Mailbox Database In Exchange 2013

    Exchange 2013 has a new store named the Managed Store. In order to provide failure isolation in the database level in 2013, Microsoft has introduced two new processes as part of the managed store concept. First is the Store Worker Process(Microsoft.Exchange.Store.Worker.Exe) which does the same job that store.exe handled in previous versions. The only difference [...]

    Read More

  • Upload GAL Photos Using Exchange 2013 OWA Options (ECP)

    The “self service” option in OWA 2013 (ECP) has been enhanced with the option for uploading GAL photo by the end user. In Exchange 2010 ECP, end users were able to edit their contact details, address etc depending on the role assignment policy. In Exchange 2013 ECP ( OWA –> Options), the end user can [...]

    Read More

  • OWA 2013 Virtual Directory Displays The OWA Version As Exchange 2010

    A bug or typo in the code? While browsing the EAC, I noticed that the OWA virtual directory displays that the OWA Version as Exchange 2010 & not 2013. This happens in an Exchange 2013 only environment. The Shell displays the same info. MS, Is it a bug in the code or a typo?

    Read More

  • 2 Million Hits & 2.67 Million Page Views

    Yes, HowExchangeWorks has had 2 Million Hits & 2.67 Million page views so far! I take this opportunity to thank all my readers for your continuous support. I couldn’t have done this without you guys.

    Read More

  • Exchange 2013 Server Role Requirements Calculator v5.1

    Exchange Team has finally released the first public version of the 2013 Server Role Requirements Calculator. The name has been changed as the calculator now makes recommendations for both the Mailbox and CAS roles. If anyone out there is still confused, this is the 2013 equivalent of the 2010 Storage Calculator. The look and feel [...]

    Read More

0 comments… add one

Speak Your Mind…

Website Hits