Home » Exchange Server » Use Admin Audit Logging to Track Changes Made by Administrators

Use Admin Audit Logging to Track Changes Made by Administrators

Who changed that email address policy? Who dismounted that database? Who granted that person access to the CEO's mailbox?

As an Exchange administrator those are all the type of questions you could be asked quite regularly, especially if you work in a large IT team with many administrators making changes on a daily basis.

Fortunately, ever since Exchange Server 2010 we've been able to answer those questions using administrator audit logging. Admin audit logging captures all changes made my administrators using the Exchange management tools (PowerShell cmdlets, or the Exchange Admin Center). Only commands that make changes are logged, for example Remove-Mailbox, whereas commands that do not cause changes are not logged, such as Get-Mailbox.

Configuring Administrator Audit Logging

Admin audit logging has the following default configuration.

  • Admin audit logging is enabled.
  • 90 days of log retention.
  • All cmdlets that can make modifications are audited.
  • All parameters of the above cmdlets are logged.
  • Test cmdlets (such as Test-MAPIConnectivity) are not logged.
  • Log level of “none”, which doesn't mean nothing is logged, it just logs details of the command that was run, who ran it, and which object they modified. The other option is “verbose” which also logs the old and new properties of the object that were modified by the command.

Admin audit logging can be disabled, or the config modified to limit the cmdlets or parameters that are audited, or to modify the log retention period. For this reason you should limit the ability of administrators in your organization to modify the admin audit log settings. By default this right is granted to members of Organization Management and Records Management. I recommend you review your RBAC role group membership to ensure that only the most trusted administrators are members of those groups.

Note that any changes made to the admin audit log config are logged in the admin audit logs, regardless of whether admin audit logging is enabled or disabled. So in theory you should see evidence of any tampering that has occurred.

Searching Administrator Audit Logs

Admin audit logs are reasonably simple to search using the Exchange management shell. There's a few different approaches you can take:

  • Search for a specific cmdlet or cmdlets
  • Search within a specific date range
  • Search for actions taken by a specific administrator
  • Search for actions taken against a specific object

You can also combine the above by using multiple parameters in your search.

Let's take a look at a simple example – someone has granted the user Alex Heyne access to the CEO Alannah Shaw's mailbox. We know this is done using the Add-MailboxPermission cmdlet, so we can use the –Cmdlets parameter for Search-AdminAuditLog to run the search.

Another approach for the same scenario would be to look for modifications to the object “Alannah.Shaw” by using the -ObjectIds parameter. In this example it gives us exactly the same result, but you can imagine that other modifications may have been made to the same object and that multiple log entries would appear in many real world environments.

Searches can be limited to specific date ranges. Here's how to search for modifications made by “Administrator” in the last 30 days.

A lot of results were returned, so I haven't displayed them. But let's say that I wanted to know just the object IDs that “Administrator” had modified in the last 30 days.

Looks like “Administrator” has been messing with virtual directories and databases. Let's make it even more useful and look at the time stamp, cmdlet, and objects modified by “Administrator” in the last 30 days.

Summary

As you can see administrator audit logging contains a lot of valuable information to help you identify who has been making changes in your Exchange organization. You can also see why it is important to limit administrative rights to only the minimum that each IT team member needs to do their job.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

14 comments

  1. Dinesh says:

    Hi, I set the AdminAuditLog for 120 days with below command

    Set-AdminAuditLogConfig -AdminAuditLogAgeLimit 120.00:00:00

    when i search the logs with help of below cmdlet, it was not showing more that 1 week logs.

    Search-AdminAuditLog -StartDate 07/05/2015 -EndDate 09/20/2015

    Could you help me on this.

    Thank you.

  2. Terrance Brennan says:

    Unfortunately, not everything done by an Admin is logged. If you open a Windows PowerShell window and load the Exchange module nothing is recorded in the audit logs. Only actions performed in the EMS are recorded.

  3. Scott Thompson says:

    Hello again Paul…I have been asked a couple of questions by one of our auditors and I am struggling to find any solid answers. I hope that you might be able to assist.

    1. Can anyone with access to the eDiscovery portal (via the RBAC) see ALL the previously created and stored searches regardless of who created them?

    2. What audit trails are available in eDiscovery. Can I retrieve reports about who created, modified, and deleted searches along with details such as search criteria and what was done with the results (run, previewed, exported, etc)?

    Thanks

    Scott

  4. Jason Meyer says:

    Excellent article as always. I’m trying to determine why some admin events are not showing up in my Admin Log. Like simple mail enables, I’m finding that about 95% of them ARE showing up, and about 5% are not. So far haven’t found any differences in how the 5% are enabled.

  5. Eric says:

    Hi,
    Can someone please help me figure out how to get a more useful username out of the .CmdletParameters value. Currently when you run this command…

    (Search-AdminAuditLog –cmdlets Add-MailboxPermission).CmdletParameters

    It returns the following,

    Identity Lab Test 01
    AccessRights FullAccess
    InheritanceType All
    User NAMPR06A002Eric 577832002717381

    The “User” is who I granted full access to. How am I supposed to make sense of that data? Anyone know how to get it to return samaccountname or something?

    -Eric

  6. thoufeeq says:

    Hi,
    In Exchange 2016, the Search-AdminAuditLog returns UPN as caller which was Canonical Name in the previous versions of Exchange. Is there any way to get Canonical Name as Caller ?

  7. theresa says:

    Noticed when Partners are set up to manage a tenant, new accounts, changes and disabled accounts do not show up in the audit log of the targeted tenant. By design, or bug?

  8. Ed Kummel says:

    Thank you Paul for all your contributions. I use your stuff on a daily basis. We recently got the edict to implement auditing for admins and mailboxes. I’ve done all the necessary tasks and can download audit logs all day long….from the EMS.
    But, if I open a generic Powershell session (Powershell version 4.0), add the Exchange Powershell snapins and then run the Search-AdminAuditLog from there, we get a weird error that says:
    search-adminauditlog : The attempt to search the administrator audit log failed. Please try again later.
    Checking the Event Logs, I find the error in the MSExchange Management Event log.
    Microsoft.Exchange.Management.SystemConfigurationTasks.AdminAuditLogSearchException: The attempt to search the administrator audit log failed. Please try again later. —> Microsoft.Exchange.Data.ApplicationLogic.AuditLogAccessDeniedException: The requesting account doesn’t have permission to access the audit log. —> System.Web.Services.Protocols.SoapException: The requesting account does not have permission to serialize tokens.

    Every other Exchange command runs in this Powershell session *EXCEPT* those commands relating to Audit logs.
    I am also starting the Powershell session with a runas administrator. And if I do a “whoami”, it returns my organizational Administrator account.

    I’ve scoured the web for details on this, but the results are always talking about the EMS, not a generic Powershell session.

    Any ideas?

    • It’s not supported or recommended to load the Exchange snapins into a regular PS console like that, except for specific scenarios under the guidance of MS Support. One of the reasons being that it bypasses RBAC. I suspect what you’re seeing is a symptom of that.

Leave a Reply

Your email address will not be published. Required fields are marked *