A lot of businesses want to be able to track who accesses mailboxes in the organization, and who takes certain actions such as deleting mailbox items.  This is particularly true where mailboxes are accessed by delegates, for example when a senior manager has several people who access and manage their mailbox, or for shared mailboxes such as those used by sales and support teams.

Exchange Server 2010 (SP1 or later), Exchange Server 2013 and Exchange 2016 have a feature called Mailbox Audit Logging that provides exactly this capability.  However it is not turned on for mailboxes by default, so the Exchange administrator has to enable for those mailboxes which are considered sensitive or any where access needs to be logged and audited.

You can see whether a mailbox has audit logging enabled by running the Get-Mailbox command.

[PS] C:\>Get-Mailbox Alan.Reid | fl *audit*

AuditEnabled     : False
AuditLogAgeLimit : 90.00:00:00
AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate    : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner       : {}

The output there shows you that:

  • Mailbox auditing is not enabled for this mailbox
  • The log age limit is 90 days
  • The actions that are logged for admins, delegates, and the owner themselves

Note how the mailbox owner is not logged by default, because their access would generate a lot of audit log entries. Delegates are logged for basic actions, and administrators are logged for additional administrative actions as well.

To enable a mailbox for audit logging use the Set-Mailbox command.

[PS] C:\>Set-Mailbox Alan.Reid -AuditEnabled $true

To demonstrate audit logging I’ve accessed the mailbox as delegate Alex Heyne, and deleted several inbox items.

There are a few different ways you can look for mailbox audit log entries. The first is a by searching a single mailbox using the Exchange Management Shell.

The Search-MailboxAuditLog command lets use perform searches of mailbox audit logs.  In this example I’m performing a search and displaying just one entry.

[PS] C:\>Search-MailboxAuditLog -Identity Alan.Reid -LogonTypes Delegate -StartDate 1/1/2011 -EndDate 2/8/2011 -ResultSi
ze 1 -ShowDetails

RunspaceId               : d76bf455-a098-4ef2-abad-7d0b153df302
Operation                : SoftDelete
OperationResult          : Succeeded
LogonType                : Delegate
ExternalAccess           : False
DestFolderId             :
DestFolderPathName       :
FolderId                 : LgAAAABP8tPUduCNQbq3ixaUfzrSAQD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAAAB
FolderPathName           : Inbox
ClientInfoString         : Client=MSExchangeRPC
ClientIPAddress          : 10.0.1.11
ClientMachineName        :
ClientProcessName        : OUTLOOK.EXE
ClientVersion            : 14.0.4760.1000
InternalLogonType        : Delegated
MailboxOwnerUPN          : Alan.Reid@exchangeserverpro.net
MailboxOwnerSid          : S-1-5-21-3252988086-3956323440-3716555505-1113
DestMailboxOwnerUPN      :
DestMailboxOwnerSid      :
DestMailboxGuid          :
CrossMailboxOperation    : False
LogonUserDisplayName     : Alex Heyne
LogonUserSid             : S-1-5-21-3252988086-3956323440-3716555505-1117
SourceItems              : { RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvG
                           eCAAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK0
                           3AAAAvGeBAAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbg
                           D/lyUK03AAAAvGeAAAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGl
                           k9ZQqbgD/lyUK03AAAAvGd/AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAA
                           CNDsKGlk9ZQqbgD/lyUK03AAAAvGd+AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAA
                           AAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd9AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYH
                           Zzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd8AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bT
                           o9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd7AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0
                           krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd6AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzr
                           SBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd5AAAA,  RgAAAABP8tPUduCNQbq3
                           ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd4AAAA,  RgAAAABP8tPUd
                           uCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd3AAAA,  RgAAAA
                           BP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd2AAAA,
                            RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd
                           1AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03
                           AAAAvGd0AAAA}
SourceFolders            : {}
ItemId                   :
ItemSubject              :
DirtyProperties          :
OriginatingServer        : ESP-HO-EX2010A (14.01.0218.011)
MailboxGuid              : d91ebf81-f836-431c-8857-2f2a46ee0a93
MailboxResolvedOwnerName : Alan Reid
LastAccessed             : 2/7/2011 10:11:33 PM
Identity                 : RgAAAABP8tPUduCNQbq3ixaUfzrSBwAVowOS8YKPSZu3yRX+MS1dAAAAAj7RAAAVowOS8YKPSZu3yRX+MS1dAAAAAj7o
                           AAAJ
IsValid                  : True

As you can see the information is partially useful (we can see who did something and when they did it) but there is also a lot of unreadable data presented. For a PowerShell script that  provides an easier method for checking mailbox audit log entries refer to the following article:

Mailbox audit logs can also be searched using the Exchange Control Panel (Exchange 2010) or Exchange Admin Centre (Exchange 2013 and 2016). In the organization management area are a series of different auditing tasks, including mailbox audit log searches. The screenshots below are from Exchange 2010, and you can find an Exchange 2013 example here.

Exchange Server 2010 Mailbox Audit Logging Step by Step Guide
Exchange 2010 Mailbox Audit Log Search in Exchange Control Panel

This web interface makes searches much easier and also returns results that are readable.

Exchange Server 2010 Mailbox Audit Logging Step by Step Guide
Exchange 2010 Mailbox Audit Log search results

You can see that mailbox audit logging is a useful feature for organizations that need to audit this kind of activity, but with the trade off that the logs are stored in the mailbox and so will increase mailbox size.  However since any audit logging of this kind has to be stored somewhere this shouldn’t be seen as a road block to activating the feature on only those specific mailboxes that require auditing.

Further reading:

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Prashant

    Hi Paul,

    Thank you for the blog, we do have Exchange 2010 SP3 Enterprise version installed in our organization. we have enabled the Audit log as of the steps you have shared in you blog, and tried to perform some testing in our production environment test mailboxes. During our test, we were able to see the logs that were created for Sendas and Create. But beside that we have performed the activity like Soft-Delete and Hard-Delete, which was not shown in the audit logs. Is there any thing we have missed out to configure. To audit the soft-delete or Hard-delete from the delegated user.

  2. George A.

    Hello Paul,
    I have an Exchange 2013 DAG of two members, do you know why always shows as “originating server” in the AdminAuditlog the one who has the rol of “PAM”?. Or is it something that only seems to me?. I make changes on a user that is in the second node of my DAG, but in AdminAuditLog it always shows me the primary as the “Originating Server”. Is this the expected behavior?

    Thanks!

    1. Paul Cunningham

      Maybe that’s the server you’re connected to with your management shell at the time.

  3. Adeiza Yisa

    Paul,

    We are currently implementing IBM QRadar SIEM in our environment. On of our security use case is to get alert when someone else aside the owner of the mailbox access it. Where is this log kept and how can we get the log into IBM QRadar SIEM

  4. Tony C

    Paul – is there a way to actually view the sent email? I can see the time and date, the sender and the subject but nothing else. Is there any way to actually view the email itself (in case the user deleted it from Sent/Deleted Items or populate the recipient in the search results?

    1. Paul Cunningham

      No, the mail contents are not stored in the audit logs. The only way to view the mail item is to view the actual mail item. If it’s been deleted, at least auditing can tell you that.

  5. sanjeev

    hi Paul

    We are try to reducing the audit log size of one user mail box which reach to 30 GB

    we have try to disable audit change the ageing of audit log but no luck can u please help.

    1. Paul Cunningham

      If you lower the age limit for audit logs on that mailbox, the server should clean up the logs that are already there as a background task later, but I wouldn’t expect it to happen instantly.

      1. Richard

        I just reduce the Log ageing from 90 days to 45 days, in your experience, how long would it take to see the change in size and items count?
        I really need to see the items count in specific, reduced from 2000000 to below 1000000, as this is the limit to migrate the mailbox to Offie365

  6. SSJ_GOG

    Hi,
    Does this work for public folders at all?

  7. Gigz

    Hi Paul
    I have a large Single Forest Multiple domain setup with over 100 2010 servers. All of a sudden admins is different domains get a warning when editing users, send as etc.. The warning is that it cant connect to one server in another domain in the forest (Which is by defaut as there is no link between domains). If i disable audit logging it goes away. My question is there a home user mailbox like a postmaster that auditlogging attaches itself to on setup and that this might be located in the domain that the error points to.
    Thanks
    Kevin

  8. HL

    In MailboxAuditLog, after enabling, there are events about mailbox objects access, but are they also stored MailboxFolderPermission changes? Because users and administrators are able to change mailbox folder permissions (“Inbox” or “Top of Information store” for example), it is difficult to prove, who did changes.

  9. RamG

    Hi Paul,

    When we export the audit logs using Search-MailboxAuditLog command with Send As operation i am getting two logs for a single email, i.e. the user has sent one email but we are two logs while exporting audit logs.

    Can you let me know the reason for the same.

    1. Paul Cunningham

      I’d have to see the logs first hand. There might be two items logged because two operations take place when a Send As occurs, e.g. sending the email itself, plus saving the sent item to the shared mailbox’s Sent Items folder.

  10. Sarfraz Aslam

    Hi,
    i have set the age limit 2 days for admin audit logs, but after the 2 days audit logs are not flushed. Is there any thing i am missing ?

    Thanks.

    1. Paul Cunningham

      What is the exact command you ran?

      What are you doing to check whether the admin audit logs have been removed or not?

      Note: you’re saying “admin audit logs” but this is an article about “mailbox audit logging” which is something different.

  11. Ekrem Saruhan

    About 2 years ago i added a new domain into my Exchange environment because of a change of company name. All users are until now using both domains example @ABC.com and @XYZ.com.
    In the meantime users could use both domains and i want to disable the old domain @ABC.com.
    My problem is that lot of email communications are still received at the old domain. I want to create a catch-all policy where i want to automatically send a mail to the sender with a message like” dear sender, please use our new domain address receiver@XYZ.com. This mail will not been forwarded to the sender.”
    I couldn’t find a standard solution for my problem. Maybe you can help me with it.
    regards,

    Ekrem

    1. Paul Cunningham

      Those auto-reply solutions are bad practice. Don’t do it. It annoys senders and it doesn’t work for automated systems such as newsletters that your users signed up to with their old email address.

      If you want to stop accepting email to a domain just remove that domain from your recipients and from your Exchange organization. The emails will bounce and the sender can resend or the automated system can see the NDR and remove that address from its database.

  12. trank0

    Hi, pls, tell me where those logs are exactly? In Mailbox server?, HUB? CAS? and which address? in the Program FilesExchange2010Logging path I can´t find any logic name folder for this acction and with “get-mailboxserver “mbxserver” | fl *log* ” I can´t any logic space where is nested those logs.

    I want to know this because my hard disk space are poor on my servers and those logs on all mailboxes can make grow my data in my hard disks and then I´m gonna be in troubles. I want to test first over a few users to check how it´s growing, but I need first to know where is nested those logs, specially in which server to follow the space on disk.

    Thanks a lot, great tutorial.

      1. trank0

        Awesome answer, then I assume that the audits on mailboxes, and in my case is exactly to check on all mailboxes the logging of not owners, all data is stored in each mailbox, the the database is going to grow.

        Is my think correct?

        1. Paul Cunningham

          The database will probably grow. If you’re concerned about how much it will grow, turn on audit logging for a small number of mailboxes and use the script to see how much extra space it is using.

  13. Jan

    Hi Paul, Nice and EasyToUnderstand article.
    BUT >

    when I use Add-MailboxPerrmission to grant somebody FullAccess, s/he is in AuditDelegate auditing logontype… what type of command for granting permission should I invoke, to set the access to AuditAdmin?

    I’m looking for audit type MessageBind, which is available only via AuditAdmin ….

    Thx in advance,
    Jan

  14. Aurimas

    Hello,
    I’ve followed the article and audit logs in powershell show that mailbox was accessed, some items deleted etc., but when I try to run auding in ECP I can only see the fact that mailbox was accessed, but the detail window is empty. Any ideas?

    screenshot – http://i.imgur.com/A0vDEde.png

  15. Singh

    Hi Paul,

    I have enabled Auditing for delegates (as I want to audit users with Full access permissions on a shared Mailbox).
    Here is what I have enabled:

    AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}

    I see a create operation when I copy a file from inbox to any subfolder and I see a SoftDelete Operation when I delete an email from Deleted Items.
    But I don’t see any Operation when I move any item from inbox to subfolder.

    Am I missing something on my settings?

    Regards,
    Singh

  16. Farhad_Adm

    Hello. Great blog! But when i generate my report in web interface i cant get the result indeed.

    I get the information in the left panel about which mailbox it is and last access on that mailbox but i cant get the information in the right pane.

    Does anyone had such a problem?

    Thanks in advance!

  17. Tony

    Hello, I am interested in setting this up for our firm. I have tested on a test account and everything seems to work as expected. My question is how hard of a hit does this put on Exchange resources. We have 2100 mailboxes and it would be nice to turn this on for all of them with administrator and delegate auditing.

  18. Martin

    Hi Paul,
    great blog! saved me many times! 🙂
    thanks you

    I need to find messages with certain string in the subject, and know if this email was forwarded to other people and we need to know to whom…

    is it possible?

    king regards
    martin

  19. Jason

    Paul, first up. Really good website, I’ve been learning Exchange from you for years now.

    I’m now doing some mailbox auditing and have gotten the basics of it to work. The specific issue that I’m working on now is trying to determine why folders and their contents are turning up in the ‘recover deleted items’ folder of a mailbox on an intermittent basis.

    So, I have mailbox auditing turned on but the two attributes ‘DestFolderID’ and ‘DestFolderPathName’ are showing up blank. I’d like to know where items are being moved to. These are ‘soft delete’ operations.

    Thoughts?

    Again, really nice work.

    1. Paul Cunningham

      Soft Delete means “An item is deleted from the Deleted Items folder.” which I guess makes the folder Ids redundant since an item deleted from the Deleted Items can only go to the recoverable deleted items folder next.

  20. Galas

    Paul, you are pretty much my exchange reference!
    II am going to give it a try, it was exactly what i was looking for, and as always, ended up in your website.
    Thanks a million.

  21. Douglas Diniz

    Hello Paul,

    There is a possibility that I will be notified by email if any mailbox is opened by a user other than the user owner?

    What is the correct procedure to perform such an action?

    Exchange Server 2010.

    Thank you!

    1. Paul Cunningham

      Exchange does not have that capability builtin. You would need to write your own script or look at investing in a security monitoring product.

  22. John

    I am auditing a mailbox now however it is only showing me items deleted from the deleted box. If it helps I am logged into OWA and manipulating the users mailbox as an admin. I can see the itemes i delete from the deleted items but not from the inbox. If i delete something from the inbox, it goes to deleted, then when I delete it from the deleted items, it shows in my log.

  23. nirav

    Dear Paul

    thanks for the wonderful post. my query is that if i am the mailbox owner & I want the audit report for this account only. its possibe or not? how i can accomplish that task.

  24. Links

    Hi Experts,

    Can someone help me out to answer one query, if we can export these mailbox audit data to a local extrenal file, to which I can use the same in my SIEM to monitor in and track the activities.

    Thanks in advance.

  25. Stripppy

    Hi Paul,

    Great article. In MailboxAuditLog, after enabling, there are events about mailbox objects access, but where are stored MailboxFolderPermission changes? Because users and administrators are able to change mailbox folder permissions (“Inbox” or “Top of Information store” for example), it is difficult to prove, who did changes.

    Thanks

  26. Carol Ostos

    I’m wondering if anyone has seen this event ID

    5001 Error MSExchange Management Application Failed to create EWS mailer.
    Organization:
    Error:
    Microsoft.Exchange.Management.SystemConfigurationTasks.AdminAud
    itLogException: Unable to find the admin audit logs folder. Rea
    son: System.Web.Services.Protocols.SoapException: The specified
    server version is invalid.
    at System.Web.Services.Protocols.SoapHttpClientProtocol.Read
    Response(SoapClientMessage message, WebResponse response, Strea
    m responseStream, Boolean asyncCall)
    at System.Web.Services.Protocols.SoapHttpClientProtocol.Invo
    ke(String methodName, Object[] parameters)
    at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProt
    ocol.c__DisplayClass4.b__3()
    at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.Networ
    kServiceHttpAuthenticator.AuthenticateAndExecute[T](SoapHttpCli
    entProtocol client, AuthenticateAndExecuteHandler`1 handler)
    at Microsoft.Exchange.SoapWebClient.SoapHttpClientAuthentica
    tor.AuthenticateAndExecute[T](SoapHttpClientProtocol client, Au
    thenticateAndExecuteHandler`1 handler)
    at Microsoft.Exchange.SoapWebClient.EWS.ExchangeServiceBindi
    ng.FindFolder(FindFolderType FindFolder1)
    at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory
    .EwsMailer.GetAdminAuditLogsFolder(ADUser adUser)
    at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory
    .EwsMailer.GetAdminAuditLogsFolder(ADUser adUser)
    at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory
    .EwsMailer..ctor(OrganizationId organizationId, ADUser adUser,
    ExchangePrincipal principal)
    at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory
    .Create(OrganizationId organizationId, ADUser mailbox, Exchange
    Principal principal)

    I tried to google about this but did not find much info, Any guidance would be useful. Thanks so much!!!

    1. jeevan

      As per the error it is saying that Audit folder is not created on mailbox. There is a folder will create after you enable the audit on mailbox , it is hidden folder. you can check it from get-mailboxfolderstatistics.

      I suggest you please check the Audit folder is created after you enable the Auditing on maillbox.

      regards
      jeevan

  27. jeevan

    I tried in my organization but it is not working.

    i ran below command but i have not get any output of it and the same is happen with ECP console. i received the report but nothing is there.
    interesting thing is that it is not giving me any error while excecuting the command.

    Search-MailboxAuditLog -Identity test -LogonTypes Owner -StartDate 02/26/2013 -ShowDetails

    we have exchange 2010 Sp2 Buil 247.5 (RU 2706690)

    anyone please let me know what could be issue.

  28. Daniel

    Hi Can I please get the command on how to audit the mailbox owner?

    [PS] C:Windowssystem32>Set-Mailbox records -AuditEnabled $true

    That doesn’t log the owner of course, what is the switch to log what the owner does?

    Thanks

  29. Mahmoud

    Hi Paul,
    My result as the follows:

    Time: 12/6/2012 2:08 AM
    Performed by: EV
    Signed in as: Internal user without delegate access
    Operation: Open folder
    Folder: Sync IssuesServer Failures
    Status: Succeeded

    Time: 12/6/2012 12:49 AM
    Performed by: BlackBerry
    Signed in as: Internal user without delegate access
    Operation: Open folder
    Folder: Recoverable Items
    Status: Succeeded

    So I didn’t get “performed by certain user”, can you explain to me why get EV and Blackberry, is EV mean Enterprise volt because we have it?

  30. Rachael

    Hi,

    It is really helpfull, thank you so much.

    And I need audit log for the owner, aldo i used the example below from technet, it didn’t work.

    Search-MailboxAuditLog -Identity kwok -LogonTypes Owner -ShowDetails -StartDate 1/1/2012 -EndDate 3/1/2012 | Where-Object {$_.Operation -eq “HardDelete”}

    The error is,
    A valid LogonType must be specified when ShowDetails is set to false. Valid Logon Types when ShowDetails is false are:
    Admin,Delegate

    Could you please help me to find what is wrong?

    Thank you…

  31. John

    Hi

    Thanks for all. I want to check something else. I can run Exchange ECP report:
    Export mailbox audit logs…
    Search for and export information about non-owner access to a mailbox during a specific time period. Learn more…

    I want to make a filter and to run the same report with specific users excluded? How do I do that? Perhaps with cmdlet?

    Thanks

    1. John

      For example I can do this and I want to see all non-owner accesses:
      New-MailboxAuditLogSearch “Delegates” -Mailboxes “X Y” -LogonTypes Delegate -StartDate 01/01/2012 -EndDate 09/21/2012 -StatusMailRecipients “x@x.com”

      However, this return too many results. How can I get them all? Or eventually add few exceptions? for example I have blackberry service which is active and the bb account is audited and it creates alot of entries.

      Thanks!

  32. Athar

    Hi,

    I am facing problems with Audit reports some of the users, some of them are showing audit report but many users are just blank in ECP/shell. I have checked the audit attributes and all of them have the same attributes.

    any ideas?

    Thanks

    1. Paul Cunningham

      Are you expecting to see auditable events in the results? If nothing has happened to generate any audit logs I imagine you would see blank results.

      1. Athar

        Its showing only the users, that got their accounts accessed by service account or other non-owners. I don’t see all the user so I assume that audit log is showing account cause of breach. Some of them are showing details and some of them are just blank when I select them 🙂

        Thanks.

  33. Dumitru

    Hi,
    can you help to find location of log entries?

    1. Jan

      In the mailbox itself in hidden folder.
      Jan

  34. Dave K

    Hi Paul,

    When running the Search-MailboxAuditLog command I noticed that the ItemSubject is not populated on delete operations for messages. Is there a way to determine what the subject of the delete message was? The only information provided is the SourceItems id (which i assume is the message id).

    I’m running the command against the owner’s mailbox with AuditOwner enabled for Update, Move, MoveToDeletedItems, SoftDelete and HardDelete.

    Thanks.

    1. Dave K

      Sorry I should clarify, i’m running the Search-MailboxAuditLog -ShowDetails command.

  35. Brian

    Thanks for this! How would you recommend going about setting this up if we want to audit all mailboxes? It seems kind of silly to pick and choose, how are we supposed to know where there will some day be an issue with someone deleting an e-mail they shouldn’t. Seems like this is a pretty big oversight to only allow setting auditing at the mailbox level. I’ve noticed that trend a lot in Exchange 2010 though. In 2003 it seemed everything was able to be set at a datastore or server level.

    Thanks!
    Brian

  36. Daniel

    Hi Paul,

    Fantastic article.

    I have a catchall mailbox here that I would like to see who is accessing it and if they are reading e-mails in the catchall. (I understand that I can see who has access to it via the console or shell but I also want to see when / why they are accessing it) I have enabled auditing as per your instructions and see that the following is on by default.

    [PS] C:Windowssystem32>get-mailbox Catchall | fl *audit*

    AuditEnabled : True
    AuditLogAgeLimit : 90.00:00:00
    AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
    AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create}
    AuditOwner : {}

    Can I add a parameter so I can see when a user is reading mails in the catchall?

  37. Hao

    Hi Paul,

    I have the same issue with Dennis here, after turn on user audit, I could not find any log. Are there any steps that we have to do with Mailbox server in “Manage Diagnostic Logging Properties” ?

    Thanks in advanced,
    Hao

    1. Hao

      I am sorry, It worked, I got the audit log with the command:

      Search-MailboxAuditLog -ShowDetails |FT

  38. Florin

    Hi,

    How can I generate reports for the audit logs and send them to an email address (automatically)?

    Is there a way to give to a specific user the possibility to see he’s audit reports in OWA or ECP?

    Thank you in advance!
    Florin

  39. Dennis Baader

    Hi,

    at first thanks for this howto. I configured all by your steps, but i didn’t get any results from the mailbox search. It seems like, the exchange didn’t log anything. But i can see that AuditLog is enabled for the mailbox. I tested some diffrent mailboxes. We use Exchange 2010 SP1.

    Maybe a problem of a service or permission?!

    Thanks for reply.

    Best Regards,

    Dennis

  40. kembobill

    hi paul,
    would you give direction on how to enable logging to check spam source. my ip is being blacklisted so often and i think it will get to a point i will be out totally..

  41. Brian

    Yes it does audit any non-owner access to the mailbox through the CAS, including EWS. BES uses EWS and there are LOTS of non-owner entries generated if you use BES.

    1. Atom

      Is it also possible to catch external who use OWA on firefox or other non IE browsers?

      1. Paul Cunningham

        You would look in the IIS logs for OWA (separate to mailbox audit logging) for that type of information on which browsers people are using.

      2. Atom

        OKAY Paul, I think what I was asking is whether it is possible (presumably using IP) to track those external users who log onto other people email accounts if they have logged in the email system using the actual victim’s email credentials?

      3. Paul Cunningham

        The IP address of the person connecting to OWA will be visible in the IIS logs for OWA (depending on how your firewall is configured, you may need to look at firewall logs instead).

  42. gaponte

    Hi Paul,
    Firstly I’m so glad to read your genius and clean articles (great experience I got via your site 🙂 )…etc…etc..
    Regarding the auditing I’m trying to get details after I’ve enabled the auditing to a mailbox, but on executing the query below, I’m not getting any resuly at all:
    Search-MailboxAuditLog -Identity alias -LogonTypes Delegate -StartDate 2/29/2012 -EndDate 3/1/2012 -ResultSize 1 -ShowDetails
    Do I miss some other step?
    Thank you in advance!

  43. Andy

    Prior to setting up exchanges (and using the POP connector) my client used to leave 5 days worth of email on the pop server(fro Outlook settings) so that a manager could review activity.
    Any thoughts on implementing this and presenting in an easy to use format?

  44. Manohar

    Greeting !!

    Is there any poershell script to audit exchange 2010 sp2 user’s mailboxes , please suggest

  45. Dubravko Hlede

    I have enabled mailbox audit logging, on one mailbox (test1), according to your guide.

    Set-Mailbox test1 -AuditEnabled $true

    After that I have given full access permissions to that mailbox to user: test2.

    Add-MailboxPermission -Identity test1 -User test2 -AccessRights Fullaccess -InheritanceType all

    Using test2 user I have deleted email in test1 mailbox, but when I use ECP or
    Search-MailboxAuditLog -StartDate 1/1/2012 -EndDate 2/14/2012 –ShowDetails

    I get nothing.

    Any sugestions?

  46. JOhn Sdao

    Will auditing catch non-owner entries if the account is being accessed by EWS?

    1. Paul Cunningham

      Hmmm, I don’t know the answer to that. If there is impersonation being used then I would guess only the impersonating account would show up. But I’m only guessing.

  47. Mouzzam

    I need to export this log file result in file how i can check this ?

  48. David Musashi

    Thanks for the article! I needed this! I’ve been able to turn on the auditing for just one user, as well as turn on auditing for the the mailbox owner for softdelete and harddelete using “set-mailbox -auditowner softdelete, harddelete” (user is having messages that are being harddeleted that they claim they are never seeing so I’m trying to figure out what is harddeleting the messages.
    Here is my question, how would I sort the output so that it’s only showing Operation: HardDelete? Anytime I try something like “Search-MailboxAuditLog -Identity -StartDate 12/11/2011 -ShowDetails -Operation HardDelete” I get a “positional paramerer” error.

    1. Nuno Mota

      Hi David,

      Try the following: Search-MailboxAuditLog -StartDate “12/11/2011” -ShowDetails | ? {$_.Operation -match “delete”}

      Also, do you see anything for the Owner?

      Regards,
      Nuno

      1. David Musashi

        After 6 months of working on this I finally figured out that the user had set junk mail rules that automatically deleted messages. So the logs were saying she deleted them but she was saying that she didn’t. I love it when users go dinking with settings they don’t really understand. So, how would I turn off the auditing for this user now that I don’t need them audited anymore?

  49. Gonzalez

    Thank you Paul. Well written doc. Very helpful! 🙂
    I would like to see more example though, sometimes, when you have the time, for example, it took another 10min or so to find out how to construct this:
    Set-Mailbox username -AuditEnabled $true -AuditLogAgeLimit 360.00:00:00 -Confirm

    Anyway, as it is, it is very helpful.

    I have question: There is a feature, on the server, which is available to admin, to set forwarding of emails from one mailbox to another. This: “Forward to Select this check box, and then click Browse to open the Select Recipient dialog box. Use this dialog box to select a recipient to whom you want to forward all e-mail messages that are sent to this mailbox. ”
    My question is: Lets assume auditing is not enabled, is there an option to check and audit all the mailboxes for this setting? I guess, I have to go and check the configuration for each mailbox separately and manually?

    Thank you

    1. Nuno Mota

      Hi Gonzalez,

      This new feature does not audit that type of configuration (note that the e-mail is forwarded before reaching the mailbox).
      For that, all you have to do is run a cmdlet similar to:
      Get-Mailbox -ResultSize Unlimited -Filter {DeliverToMailboxAndForward -eq $True} | Select SamAccountName, ForwardingAddress, ForwardingSmtpAddress

      Hope this helps!

  50. Grant B

    We have exchange 2010 and I cannot run these power shell commands. when i run the get mailbox i just get a return to the ps prompt. when I run the set mailbox i get this error:
    A positional parameter cannot be found that accepts argument ‘-AuditEnabled:’.
    + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-Mailbox
    Also my ecp does not have the auditing tab ? what am i missing ? Do i need to install something extra ?

    thanks for your help good article.

      1. Grant B

        I guess i have rtm ? would that be the case i am running rollup 5 ?

        thansk

      2. Parastoo

        Hi Paul

        I have same problem with running these shell command in SP, anyway I have another question:

        With Audit feature Is it possible to know who has send a delivery report query on a specific audit-Enabled Mailbox ?

        e.g. I wanna know who checked delivery report “Search for delivery information about messages sent to or from a specific person” on my mailbox .
        As we know in Delivery Report log we will see all the mail subjects which send / receive to users so it is very critical and I need to monitor it.
        Any idea is appreciated

  51. Sergio K

    Hello while attempting to enter the Set-Mailbox Alan.Reid -AuditEnabled $true command, I get an error Positional Parameters Not Found. Any Idea why I get that error.

    Thanks

    1. Paul Cunningham

      Try using -identity when you’re specifying the mailbox name. And try it first with Get-Mailbox to make sure you’re entering a valid mailbox name.

      1. Sergio K

        Thanks,
        I will try that.

Leave a Reply