Enable Mailbox Audit Logging for Test Account
The mailboxes that are created on the Exchange server have audit logs closed by default. To log all the processes that are created through the test account, the mailbox audit log on the test account can be enabled with the following command:
Set-Mailbox -Identity “<Test Account>” -AuditEnabled $true
Set-Mailbox -Identity “ETS Test Account” -AuditEnabled $true
The following command also enables mailbox audit logs on all mailboxes:
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true
Mailbox Audit logs to be recorded on the log can be edited with the following command. Here, different parameters are activated for 3 different groups. Since the records to be activated for the owner groups will record the user’s actions on his/her account, If not required, it may not be activated in order not to keep too much log. Admin and Delegate group event records can be activated and recorded on the authorized account on that mailbox.
Set-Mailbox -Identity “ETS Test Account” –AuditAdmin Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create –AuditDelegate Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create -AuditEnabled $true
By adding this command to the user creation procedure and after each created mail account, mailbox audit event records can be activated in each new mail account that is created automatically or manually.
Activating Admin Audit Event Logs
The following command can be run once to enable Admin Audit logs:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogParameters * -AdminAuditLogCmdlets *
With the following command search can be made in the Admin Audit logs:
Search-AdminAuditLog
Search-Adminauditlog –cmdlets New-Sendconnector -startdate 04/20/2014 -enddate 5/5/2015
The following command will search for the parameters specified in Admin Audit Logs and mail the result to admin@yourdomain.com:
New-AdminAuditLogSearch -Name “Mailbox Quota Change Audit” -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota, ProhibitSendQuota -StartDate 01/20/2017 -EndDate 05/05/2018 -StatusMailRecipients admin@yourdomain.com
Last updated