I got a query from one of member from Exchange Team whether yesterday he deleted any user mailbox by mistake.
Exchange 2010 offers a feature called Administrator Audit Logging which facilitates recording of various Exchange Management Shell cmdlets executed in the Exchange Organization. Administrator audit logging keeps the information about the cmdlets that has been run in the Exchange Management Shell and Exchange Management Console in a log. It also records the cmdlets that are run through the Exchange Control Panel.
I ran the below command to verify if Audit logging is enabled or not
Get-AdminAuditLogConfig | fl
Output showed me that AdminAuditLoggingEnabled: True and also i have checked the agelimit AdminAuditAgelimit: 90.00:00:00 means till 90 days past entries will be present.
As the query is about "Remove-Mailbox"
Open EMS and type the below command
Search-AdminAuditlog -StartDate 02/06/2013 -EndDate 02/08/2013 -cmdlets "Remove-Mailbox"
Note: Here we would like to concentrate only for the 7th Feb logs
I found that the user details are not present in the output and hence i ran other command to prove that the exchange administrator removed only MailContact
Search-AdminAuditlog -StartDate 02/06/2013 -EndDate 02/08/2013 -cmdlets "Remove-MailContact"
Now i am able to see the user details and the administrator for the required date which he informed me.
Another approach is to use ECP -> Reporting -> Auditing -> Export the details by selecting the date range and select the user email address to send the export details.
You will receive an xml file.
Reference
No comments:
Post a Comment