Managing Mailbox Owner Audit in Exchange Server 2010
In Today’s post we are going over a a feature that is not used very often which is the mailbox owner audit in Exchange Server 2010. This feature can be used for legal reasons to make sure that we have audit not just from Delegates, Administrator but also owners.
In some companies we have users that open restore tickets because the message “disappeared” from their mailbox and since IT department by default don’t have anything to proof that wasn’t the mail system fault we just need to start restoring data (of course when they open the ticket the Recover Deleted Item period is long gone ).
So, the first step is to enable Audit on a mailbox and we can do that by running Set-Mailbox <Mailbox> –AuditEnabled $True
After enabling Auditing on the mailbox we will have by default some actions being logged when the source is Delegates or Administrators on the audited mailbox. The default logged actions are deletions (soft and hard), send as, new and updated items basically.
Enabling Mailbox Owner Audit…
Time to audit the mailbox owner and for that we can use the cmdlet below. Bear in mind that Update,MoveToDeletedItems,SoftDelete and HardDelete are all our options to the owner.
Note: You must have the AuditEnabled set to True to have the data being recorded.
Visualizing the Audit on a mailbox…
Okay we configured the Audit for a user and we want to see what is being logged on. A good way to do that is by running the following cmdlet where we will have all Audit details about that specific mailbox.
Checking the logs…
Okay, finally on a Friday afternoon our beloved user open a ticket asking for a restore of an item that disappeared, time for Exchange Show time!
Run the following cmdlet: Search-Mailbox –Identity <Mailbox> –LogonType Owner and voilà we have all entries containing who, where, which client and so forth. You can export the content or play with PowerShell to narrow down the results but you get all the proof to inform the end-user that items do not disappear without a reason.
By the way, you can use three values for LogonType which are: Owner, Delegate and Admin.