Saturday, October 4, 2014

How to Enable Auditing in Exchange 2010

Hi Readers,

Writing the information that will guide in enabling auditing for user mailboxes. In Exchange 2010 this is new feature & advantageous in case you want to know who has deleted, moved emails from shared mailbox, delegated mailbox etc.

Some times for Messaging Admins these kinds of requests are quite common in which Security team, HR & Legal  requires these details.

  • Get the current auditing status for Particular mailbox:


Get-Mailbox  "MailboxAlias" | fl aud*

By default Auditing Enabled is False & below screen shot shows default values.Capture1

  • Set the mailbox auditing  for Particular mailbox:


Get-Mailbox "MailboxAlias" | Set-Mailbox -AuditEnabled $true

You can set other values as well by using above command, like age of auditing. Same        way you can set various other options & disable auditing as well.

Capture2

  • There can be a situation where system mailboxes accesses mailboxes & those are coming in audit log so those system mailboxes can be by passed by using below command.


Set-MailboxAuditBypassAssociation -Identity "svc_Account" -AuditBypassEnabled $true

you can also check the Auditbypass for the svc account

Get-MailboxAuditBypassAssociation "svc_Account"

  • Now how to check these audit logs: you can use ECP for this purpose:


Capture4

 

Run Non owner Mailbox access report:

Capture5

 

Regards

Sukhija Vikas

http://msexchange.me

 

1 comment:

  1. Excellent !
    Simply a great write-up.
    Few days ago, I was reading another informative article at TechNet which I wish to mention here - https://gallery.technet.microsoft.com/Enabling-Exchange-2010-368786d3

    Hope, this could help you others.

    ReplyDelete