Writing the information that will guide in enabling auditing for user mailboxes. In Exchange 2010 this is new feature & advantageous in case you want to know who has deleted, moved emails from shared mailbox, delegated mailbox etc.
Some times for Messaging Admins these kinds of requests are quite common in which Security team, HR & Legal requires these details.
- Get the current auditing status for Particular mailbox:
Get-Mailbox "MailboxAlias" | fl aud*
By default Auditing Enabled is False & below screen shot shows default values.
- Set the mailbox auditing for Particular mailbox:
Get-Mailbox "MailboxAlias" | Set-Mailbox -AuditEnabled $true
You can set other values as well by using above command, like age of auditing. Same way you can set various other options & disable auditing as well.
- There can be a situation where system mailboxes accesses mailboxes & those are coming in audit log so those system mailboxes can be by passed by using below command.
Set-MailboxAuditBypassAssociation -Identity "svc_Account" -AuditBypassEnabled $true
you can also check the Auditbypass for the svc account
- Now how to check these audit logs: you can use ECP for this purpose:
Run Non owner Mailbox access report: