Exchange – How to find out by whom and when an Exchange Object was Modified
One of the audit tasks that you may need to do while your operation on exchange server is how to find out by whom and when an Exchange Object was Created, Modified, or deleted.
You can do that using exchange management shell as following:
Execute the following cmdlet in Exchange Management Shell:
Search-AdminAuditLog -ObjectIds “ObjectName” -StartDate 12/20/2017 -EndDate 12/23/2017
Note: The ObjectIds parameter accepts a variety of objects, such as mailbox aliases, Send connector names, and so on. If you want to specify more than one object ID, separate each ID with a comma.
You can also get the CN, for example, of a user object, from the Object tab of the User’s Properties dialog, and use it to find user objects.
Note: Advanced Features must be enabled in Active Directory Users & Computers to show the Object tab.
For example: To find out what actions were done to the mailbox TestMailbox from 12/01/2017 till 12/20/2017, we get the CN of the object in AD Users and Computers:
Then we execute the following command:
Search-AdminAuditLog -ObjectIds TestMailbox -StartDate 12/01/2017 -EndDate 12/20/2017
You can see the user who did the change next to the Caller property, as well as other useful information, such as the RunDate and the OriginatingServer from where the object was modified.
Ratish Nair
Microsoft MVP | Office Servers and Services
Team @MSExchangeGuru
