Friday, September 2, 2016

Complete Guideline on Mailbox Audit Logging in Exchange Server 2016

Nowadays data Security is the main concern for every organization. As email plays, an important role to communicate with others in an organization so, control over the data saved in mailbox is must as per the security purpose. Therefore, Microsoft provides a functionality of “mailbox audit logging” to have the proper control over the information stored in mailbox. This helps to track the actions performed by users on mailboxes and shared mailboxes information by other users. Along with this, it helps to obtain the ID and name with whom the information is being shared. In the following session, we will discuss logging levels and way to perform mailbox audit logging in Exchange server 2016.

Levels of Logging

There are three types of users for which the mailbox audit logging can track the performed actions, i.e. Mailbox owner, Mailbox delegate, and Administrator. When the auditing is enabled by default then, only the selected actions via administrator are performed and representatives are logged. These settings are adjusted by AuditOwner, AuditDelegate, AuditAdmin parameters and permit the actions of mailbox, which should be logged.

Various Actions Logged via Mailbox Audit

Mailbox audit logging permits users to track the mentioned actions, which are performed by users, admin, and delegate such as Copy, Create, HardDelete, FolderBind, Move, MoveToDeletedItems, MessageBind, SendOnBehalf, Send, Softdelete, Update. These are the main actions, which are offered by Mailbox audit mechanism for tracking a wide range.

Default Logging Configuration of mailbox

Logs are collected for each mailbox on which mailbox audit logging has been switched via EMS by default. All these log files are stored in individual mailboxes in the recoverable folder and unable to open via OWA. By default the retention period is 90 days however, it can be changed by default.


Some permissions are required before starting the process. For managing the mailbox audit logging, it is important for being a member of either of these groups, i.e. Organization Management and Record Management.

Technique for Mailbox Audit Logging in Exchange Server 2016

Enabling Mailbox Audit

Mailbox audit logging mechanism is off by default for all mailboxes. For checking the status of audit of specific mailbox, run the following command in PowerShell and in the output user receives the complete information related to mailbox. Get-Mailbox [UserName] |FL
If the audit logging is disable for some mailbox then, it can be enabled by utilizing AuditEnabled parameter. Additionally, log retention can be adjusted and enabled logging for two actions via owner of mailbox. Here is the complete EMS command.
Set-Mailbox [UserName] –AuditEnabled $True –AuditLogAgeLimit 60:00:00:00 –AuditOwner Move, HardDelete
After running the above command, the output will be:
Mailbox Audit Logging
As the intended log files contains the information about the actions that are listed in PowerShell output and will retained for 60 days.
Note: The log files that are generated via Mailbox audit mechanism may cause the mailbox of user’s to grow fast and take large portion in disk space. The files saved in Audit folder in recoverable items are inaccessible for users.
For enabling the audit mailbox for various users, run the following command:
Get-Mailbox | Where-Object {$_.OrganizationalUnit –eq ‘[domain]/[OU Name]’ } | Set-Mailbox –AuditEnabled $True

Search Logs via PowerShell

Run the following command on PowerShell command to view log entries that are related to specific performed actions by users of selected type. 
Search-MailboxAuditLog –Identity [User or Mailbox Name] –LogonTypes Owner –ShowDetails –StartDate [Start Date: dd/mm/yyyy] –EndDate [End Date: dd/mm/yyyy] | where-Object {$_.Operation –eq “[Action Name]” }

Search Logs via Control Panel of Exchange

For searching mailbox audit logs by ECP, go to compliance management, auditing in ECP console. ECP only permits to get the information related to actions performed via non-owner users. For complete report on actions performed on multiple mailboxes, select Run non-owner mailbox access report. 
Mailbox Audit Logging in Exchange Server 2016
Now enter the specific date of start and end that is required to be searched and click on search option. 

Generated Searched log via Multiple Mailboxes

Users can search the audit log in multiple mailboxes that are starting from Exchange 2016 by using the mentioned command and share the searched results with one or more selected email addresses.
New-MailboxAuditLogSearch “[Search Name]” –Mailboxes “[User and hared Mailbox Name(s)]” –LogonTypes [Admin/Delegate/External/Owner] –StartDate [search Start Date] –Enddate [search end Date] –StatusMailRecipients [email addresses)]


As we have discussed about Mailbox Audit Logging in Exchange Server 2016. We have come to know that the Mailbox Audit Logging provides administrator an ability for tracking the actions, which are performed by various users on mailbox. It is useful in a case when, it comes to the accessing of shared mailboxes by various users. The mentioned steps, helps in determining the actions performed on these mailboxes. These are important at a time when it is necessary to find the cause behind the damage.
But sometimes during mailbox audit the probability of Exchange Mailboxes corruption increases. Therefore for a quick fix an Exchange Recovery tool could be used.


Post a Comment

Post a reply