#Exchange Server 2010: Administrator Audit Logging

#Exchange2010 #powershell

You seen this, it’s well funky, and give you the opportunity to “monitor” what people are doing to YOUR exchange system! .. Administrator audit logging in Microsoft Exchange Server 2010 enables you to create a log entry each time a specified cmdlet is run. Log entries detail what cmdlet was run, which parameters were used, who ran the cmdlet and what objects were affected.

What Gets Audited
Cmdlets that are run directly in the Exchange Management Shell are audited. In addition, operations performed using the Exchange Management Console (EMC) and the Exchange Web management interface are also logged because those operations run cmdlets in the background.

Get cmdlets aren’t logged. Audit logging is intended to show what actions have been taken to modify objects in an Exchange organization rather than what objects have been viewed.

Audit Configuration
Ideally you should create an audit mailbox to capture all these events

The following commands have been executed to enable auditing:

Set-AdminAuditLogConfig -AdminAuditLogCmdlets *
Set-AdminAuditLogConfig -AdminAuditLogParameters *
Set-AdminAuditLogConfig –AdminAuditLogMailbox Audit.Mailbox@nodomain.com
Set-AdminAuditLogConfig -AdminAuditLogEnabled $True

The Output
Using the mailbox you will see an email with this content:

Cmdlet Name: Update-MailboxDatabaseCopy
Object Modified: Mailbox Database 9999999999Exchange01
Parameter: Identity = Mailbox Database 9999999999Exchange01
Parameter: DeleteExistingFiles = True
Parameter: Network =
Caller: UserAccount
Succeeded: True
Error: None
Run Date: 08/04/2010 17:04:58 UTC

And remember, BIG BROTHER is always watching!