Exchange 2010 Administrator Logging walk-through
Who changed Linda’s primary email address? Aah… wish I knew how to track the change…
When Exchange organizations have more than one administrators, quite often it is difficult to keep a track of the changes made to any Exchange configuration objects, distribution group or contact objects. The knowledge about the details of the changes that have been made, including when they were made, are important while troubleshooting. For example, the knowledge about the properties of Send/Receive connectors will be useful to troubleshoot message routing errors. Recording configuration changes is also useful for documentation and may also be required for legal reasons.
In figure (a) the properties of a mailbox is highlighted named ‘Testing. It can be observed that the date of Modification of the mailbox is Monday, September 10, 2012 1:20:25 PM.
However details like what the modifications are, and which administrator made the modifications are still unknown.
Exchange 2010 offers a feature called Administrator Audit Logging which facilitates recording of various Exchange Management Shell cmdlets executed in the Exchange Organization. Administrator audit logging keeps the information about the cmdlets that has been run in the Exchange Management Shell and Exchange Management Console in a log. It also records the cmdlets that are run through the Exchange Control Panel.
An exception to this is cmdlets that start with Get. Such cmdlets are not logged in. For Example, Get-CASMailbox. This is because they do not make configuration changes.
The logs are stored as email messages in a mailbox of the Exchange administrator’s choice. So the access to this mailbox should restricted to only those people who require the knowledge of changes or those who perform troubleshooting.
Administrator Audit Logging Configuration Parameters
“Set-AdminAuditLogConfig” is the cmdlet that enables configuration of Administrator Audit Logging. The configurations can be viewed using the Get-AdminAuditLogConfig cmdlet.
Certain parameters of the Set-AdminAuditLogConfig cmdlet contain the string “log” in their names. Such parameters are the most important ones.
So we make use of Get-AdminAuditLogConfig cmdlet and format-list cmdlet to filter the parameters that contain the string log in their names.
So we run the following cmdlet
Get-AdminAuditLogConfig | fl
The results of this cmdlet execution are illustrated in figure
The Results show cmdlet parameters
- AdminAuditLogEnabled – The default value of this parameter is false. I have it enabled. This indicates that the administrator audit logging is enabled/disabled. To enable enable administrator audit logging, we have to set the value of this parameter to true.
- TestCmdletLoggingEnabled –The function of this parameter is to choose if the logging of Test- cmdlets, like Test-OutlookWebServices, Test-ReplicationHealth, is enabled or not. The default value is false which means they are not enabled.
- AdminAuditLogCmdlets -The AdminAuditLogCmdlets parameter is used to decide which cmdlets are to be logged when administrator audit logging is enabled. The default value of this parameter is the wildcard character * which means that all the cmdlets will be logged.
- AdminAuditLogParameters – there are certain parameters linked with Cmdlets. These parameters are used with the cmdlets and controls whether administrator audit logging will also log cmdlet parameters. The * operator indicates that all parameters are logged.
- AdminAuditLogAgeLimit –The function of this parameter is to control how long an entry in the log is preserved. Even though this parameter is not yet functional in Exchange 2010, once it is implemented, it will be useful as log entries are stored as e mail messages and too many e mails will clog up the inbox.
Configuring Administrator Audit Logging
The primary thing to do before enabling administrator audit logging is to configure the required settings for the same. By default, audit logging creates a log entry for every cmdlet that’s run. If you’re enabling audit logging for the first time and want this behavior, you don’t have to change the cmdlet audit list. If you’ve previously specified cmdlets to audit and now want to audit all cmdlets, you can audit all cmdlets by specifying the asterisk (*) wildcard character with the AdminAuditLogCmdlets parameter on the Set-AdminAuditLogConfig cmdlet.
We used to specify a mailbox using the AdminAuditLogMailbox parameter in E2010 RTM version.
Audit logs are stored in a hidden, dedicated arbitration mailbox that can only be accessed using the Exchange Control Panel (ECP) Auditing Reports page or the Search-AdminAuditLog or New-AdminAuditLogSearch cmdlet. It can’t be opened using Microsoft Office Outlook Web App or Microsoft Outlook. The following sections provide information about the following:
- What’s included in the logs
- Reports available on the ECP Auditing Reports page
- Audit log search cmdlets
The Auditing Reports page in the ECP has several reports that provide information on various types of compliance and administrative configuration changes. The following reports provide information on configuration changes in your organization:
- Administrator Role Changes This report enables you to search for changes to management role groups that you specify within a specified timeframe. The results that are returned include the role groups that have been changed, who changed them and when, and what changes were made. A maximum of 3,000 entries can be returned. If your search might return more than 3,000 entries, use the Export Configuration Changes report or theSearch-AdminAuditLog cmdlet.
- Export Configuration Changes This report enables you to export the audit log entries recorded within a specified timeframe to a XML file and then email the file to a recipient you specify.
When you run the Search-AdminAuditLog cmdlet, all of the audit log entries that match the search criteria you specify are returned
Logging Cmdlet Names
The default set of cmdlets that will be logged once logging is enabled include all cmdlets except the Get, Search, Test cmdlets. This can be modified by the AdminAuditLogCmdlets. Each of the cmdlets to be monitored can be specified individually here. For example, if we are to log the Set-TransportConfig cmdlet then we run the cmdlet:
Set-AdminAuditLogConfig -AdminAuditLogCmdlets New-Mailbox, *TransportRule, *Management*, Set-Transport*
Note that we can log all cmdlets ending with ReceiveConnector in their names by executing the following cmdlet:
Set-AdminAuditLogConfig –AdminAuditLogCmdlets *ReceiveConnector
Also each of the individual types of cmdlets to be added can be specified using the AdminAuditLogCmdlets parameter by separating them by commas.
For example, to log both cmdlets that end with ReceiveConnector in their names as well as cmdlets that have Config in their names the following cmdlet would need to be run:
Set-AdminAuditLogConfig –AdminAuditLogCmdlets *ReceiveConnector, *Config*
This command enables the logging of Test cmdlets.
Set-AdminAuditLogConfig -TestCmdletLoggingEnabled $True
To log all cmdlets we simply use the following coding:
Set-AdminAuditLogConfig –AdminAuditLogCmdlets *
Search the Administrator Audit Log
If you want to know what changes to management role group membership have been made to role groups in your organization, you can use the Administrator Role Changes report on the Auditing Reports page in the ECP. Using the Administrator Role Changes report, you can view a list of role groups that have changed during a specified date range. You can also select the specific role groups you want to view changes for.
- Log on to Outlook Web App.
- Click Options, and then click See All Options.
- In the drop-down list box next to Mail > Options, click My Organization from the Select what to manage list.
- Click Reporting, click Auditing, and then click Administrator Role Changes.
- Select a date range using the Start Date and End Date fields.
- Select the role groups you want to show changes for from the Select Role Groups field, or leave this field blank to search for changes in all role groups.
- Click Search.
Using the ECP to export all admin logging:
- Log on to Outlook Web App.
- Click Options, and then click See All Options.
- In the drop-down list box next to Mail > Options, click My Organization from the Select what to manage list.
- Click Reporting, click Auditing, and then click Export Configuration Changes.
- Select a date range using the Start Date and End Date fields.
- Select the recipient who should receive the XML file using the Select users to email the audit log to field.
- Click Export.
Using the Shell to search:
This is a general query:
Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendsize, MaxReceiveSize -StartDate 03/08/2012 -EndDate 04/09/2012 -UserIds ratish, jonathan, rjames
Let’s say we need to find out who changed the primarySMTPAddress for a user “Linda” run this:
Search-AdminAuditLog -StartDate 03/08/2012 -EndDate 04/09/2012 -ObjectID contoso.com/Users/Americas/Linda
You can also specify email recipients:
Search-AdminAuditLog -StartDate 03/08/2012 -EndDate 04/09/2012 -ObjectID contoso.com/Users/Americas/Linda -StatusMailRecipients ratish -Name "Linda Mailbox limit changes"
So to test this, I changed Linda’s CITY to “New York” and ran the cmdlet:
This is
RunspaceId : fa21f7b6-4573-45d0-a225-362dff332350
ObjectModified : contoso.com/Users/Americas/Linda
CmdletName : Set-User
CmdletParameters : {Identity, City}
ModifiedProperties : {City}
Caller : contoso.pri/Admin Accounts and Groups/ratishnair
Succeeded : True
Error : None
RunDate : 9/10/2012 1:20:25 PM
OriginatingServer : AMR-EXCH01 (14.03.0071.000)
Identity : RgAAAADfq8umTz3+QJ+gYeWvP42TrlnV6Gf9Z+VAAAAOFX9AAD4sBrDCP42TrlnV6Gf9Z+VAABqQfa6AAAJ
IsValid : True
So, long story short – @ 9/10/2012 1:20:25 PM Admin “ratishnair” changed “CITY” for “Linda” and Admin logging saved the day!!!
Ratish Nair
MVP Exchange
Team@ MSExchangeGuru
Configure Exchange 2010 administrator logging, How to track changes made to users, Exchange 2010 auditing.
October 15th, 2013 at 11:11 am
In XG 2010, this cmdlet doesn’t give the old value. And the verbose loglevel option is not avaliable. Only, the cmdlet New-AdminAuditLogSearch give this old value but in a xml file. Not very friendly reading…