Exchange 2010 maintains a hidden mailbox that logs all administrative changes. The "Hey Scripting Guy" blog recently published an article that explains how to retrieve that information with powershell. If you ignore the remoting stuff at the top of the article (that can confuse or discourage some people), the auditing commands can be run directly from the management shell on any of the Exchange 2010 servers. I've always wanted this sort of visibility into who's doing what in Exchange, so I wanted to talk about it some more. But go read this article first:
For example, to get a list of all the new mailboxes created in the last day, use this command:
Search-AdminAuditLog -StartDate (get-date).adddays(-1) -EndDate (get-date) -Cmdlets enable-mailbox
Which produces this output:
RunspaceId : 7d4bc202-de70-4c2f-a146-263d05445ea8
ObjectModified : domain.local/Headquarters/Contractors/Cristin Broom
CmdletName : Enable-Mailbox
CmdletParameters : {Identity, Alias}
ModifiedProperties : {Extensions, PoliciesIncluded, EmailAddressPolicyEnabled, PoliciesExcluded, RecipientTypeDetails,
RejectMessagesFrom, RecipientTypeDetailsValue, AcceptMessagesOnlyFromDLMembers, ArchiveName, UseDa
tabaseQuotaDefaults, OriginalPrimarySmtpAddress, ElcExpirationSuspensionEnabled, ServerLegacyDN, I
sMailboxEnabled, ReadOnlyPoliciesIncluded, IsValidSecurityPrincipal...}
Caller : domain.local/Headquarters/Information Systems/Operations/Don Drieberg
Succeeded : True
Error : None
RunDate : 1/26/2012 9:20:46 AM
OriginatingServer : EXCH01 (14.01.0323.001)
Identity : RgAAAACsFGTJn7mcTJ0+hnPZuWZoBwCmwLQTE/orS6kUJLJIy+JCAAAAkH9zAACmwLQTE/orS6kUJLJIy+JCAAAQcrvYAAAJ
IsValid : True
From this, we can see that Cristin Broom's mailbox was created on 1/26 at 9:20 am by Don Drieberg.
The audit mailbox retains data for 90 days by default, and contains records of changes to all Exchange objects – mailboxes, distribution groups, contacts, connectors, inbox rules, etc. It doesn't log all of the details, though. For instance, although it logs mailbox changes, including which properties were changed, it doesn't include the value (before or after) of those properties. You just know that it was changed somehow. Still could be very handy for auditing. A simple command like this:
Search-AdminAuditLog -StartDate (get-date).adddays(-7) -EndDate (get-date) -Cmdlets new-distributiongroup | fl objectmodified, caller
Can show me any new distribution groups that were created in the past week:
ObjectModified : domain.local/Distribution Lists/CORP - IS-QA for Trade Hold
Caller : domain.local /Headquarters/Information Systems/Operations/Don Drieberg
ObjectModified : domain.local/Ireland/Distribution Lists/Tax
Caller : domain.local/Ireland/Users/IT/Admin. Accounts/Sarah Monet
If you don't supply a Cmdlets parameter, your query will return matches for all cmdlets.
Of course, you can always pipe the output through a Where-Object clause, to filter the results.
For more information about audit logging, see the Administrator Audit Logging section of the TechNet library.
- Mike
Awesome, thanks for sharing the information related to audit administrative changes in exchange server 2010 and explains how to retrieve the information. I found good information from http://www.lepide.com/lepideauditor/exchange.html to provides the facilitate to audit all activities of the exchange environment from a centralized platform and audit add or remove domain manually or by automation for any access, change or modification. It generates reports on all changes like Mailbox changes, Policies changes,Address Book changes, Address List changes, Group changes, Recipient Update Service changes, Storage Group changes.
ReplyDelete