Who changed that email address policy? Who dismounted that database? Who granted that person access to the CEO’s mailbox?
As an Exchange administrator those are all the type of questions you could be asked quite regularly, especially if you work in a large IT team with many administrators making changes on a daily basis.
Fortunately, ever since Exchange Server 2010 we’ve been able to answer those questions using administrator audit logging. Admin audit logging captures all changes made my administrators using the Exchange management tools (PowerShell cmdlets, or the Exchange Admin Center). Only commands that make changes are logged, for example Remove-Mailbox, whereas commands that do not cause changes are not logged, such as Get-Mailbox.
Configuring Administrator Audit Logging
Admin audit logging has the following default configuration.
- Admin audit logging is enabled.
- 90 days of log retention.
- All cmdlets that can make modifications are audited.
- All parameters of the above cmdlets are logged.
- Test cmdlets (such as Test-MAPIConnectivity) are not logged.
- Log level of “none”, which doesn’t mean nothing is logged, it just logs details of the command that was run, who ran it, and which object they modified. The other option is “verbose” which also logs the old and new properties of the object that were modified by the command.
Admin audit logging can be disabled, or the config modified to limit the cmdlets or parameters that are audited, or to modify the log retention period. For this reason you should limit the ability of administrators in your organization to modify the admin audit log settings. By default this right is granted to members of Organization Management and Records Management. I recommend you review your RBAC role group membership to ensure that only the most trusted administrators are members of those groups.
Note that any changes made to the admin audit log config are logged in the admin audit logs, regardless of whether admin audit logging is enabled or disabled. So in theory you should see evidence of any tampering that has occurred.
Searching Administrator Audit Logs
Admin audit logs are reasonably simple to search using the Exchange management shell. There’s a few different approaches you can take:
- Search for a specific cmdlet or cmdlets
- Search within a specific date range
- Search for actions taken by a specific administrator
- Search for actions taken against a specific object
You can also combine the above by using multiple parameters in your search.
Let’s take a look at a simple example – someone has granted the user Alex Heyne access to the CEO Alannah Shaw’s mailbox. We know this is done using the Add-MailboxPermission cmdlet, so we can use the –Cmdlets parameter for Search-AdminAuditLog to run the search.
[PS] C:\>Search-AdminAuditLog -Cmdlets Add-MailboxPermission
RunspaceId : f6553abe-9d57-40bc-8e43-dc919bea2b50
ObjectModified : exchange2013demo.com/ExchangeUsers/Alannah.Shaw
CmdletName : Add-MailboxPermission
CmdletParameters : {User, AccessRights, Identity}
ModifiedProperties : {}
Caller : exchange2013demo.com/Users/Administrator
ExternalAccess : False
Succeeded : True
Error :
RunDate : 22/09/2015 4:35:33 PM
OriginatingServer : SYDEX2 (15.00.1076.011)
Identity : AAMkADI1NGQyZjhiLTFkYTAtNDhmYy05OTBiLTU4MGZlODY0MDQ3NgBGAAAAAAAkqZy/nl4jSa4VBIka73bMBwCEoBRTwPA6QK
t9HgzDn/p6AAAAAAEYAACEoBRTwPA6QKt9HgzDn/p6AACUBtrhAAA=
IsValid : True
ObjectState : New
Another approach for the same scenario would be to look for modifications to the object “Alannah.Shaw” by using the -ObjectIds parameter. In this example it gives us exactly the same result, but you can imagine that other modifications may have been made to the same object and that multiple log entries would appear in many real world environments.
[PS] C:\>Search-AdminAuditLog -ObjectIds Alannah.Shaw
RunspaceId : f6553abe-9d57-40bc-8e43-dc919bea2b50
ObjectModified : exchange2013demo.com/ExchangeUsers/Alannah.Shaw
CmdletName : Add-MailboxPermission
CmdletParameters : {User, AccessRights, Identity}
ModifiedProperties : {}
Caller : exchange2013demo.com/Users/Administrator
ExternalAccess : False
Succeeded : True
Error :
RunDate : 22/09/2015 4:35:33 PM
OriginatingServer : SYDEX2 (15.00.1076.011)
Identity : AAMkADI1NGQyZjhiLTFkYTAtNDhmYy05OTBiLTU4MGZlODY0MDQ3NgBGAAAAAAAkqZy/nl4jSa4VBIka73bMBwCEoBRTwPA6QK
t9HgzDn/p6AAAAAAEYAACEoBRTwPA6QKt9HgzDn/p6AACUBtrhAAA=
IsValid : True
ObjectState : New
Searches can be limited to specific date ranges. Here’s how to search for modifications made by “Administrator” in the last 30 days.
[PS] C:\>Search-AdminAuditLog -UserIds Administrator -StartDate (Get-Date).AddDays(-30)
A lot of results were returned, so I haven’t displayed them. But let’s say that I wanted to know just the object IDs that “Administrator” had modified in the last 30 days.
[PS] C:\>$logentries = Search-AdminAuditLog -UserIds Administrator -StartDate (Get-Date).AddDays(-30) [PS] C:\>$logentries.ObjectModified SYDEX2 SYDEX2\mapi (Default Web Site) SYDEX2\OAB (Default Web Site) SYDEX2\EWS (Default Web Site) SYDEX2\Microsoft-Server-ActiveSync (Default Web Site) SYDEX2\ecp (Default Web Site) SYDEX2\owa (Default Web Site) SYDEX2\Rpc (Default Web Site) SYDEX1 SYDEX1\mapi (Default Web Site) SYDEX1\OAB (Default Web Site) SYDEX1\EWS (Default Web Site) SYDEX1\Microsoft-Server-ActiveSync (Default Web Site) SYDEX1\ecp (Default Web Site) SYDEX1\owa (Default Web Site) SYDEX1\Rpc (Default Web Site) SYDEX2 SYDEX2\mapi (Default Web Site) SYDEX2\OAB (Default Web Site) SYDEX2\EWS (Default Web Site) SYDEX2\Microsoft-Server-ActiveSync (Default Web Site) SYDEX2\ecp (Default Web Site) SYDEX2\owa (Default Web Site) DB04\MELEX1 SYDEX2\Rpc (Default Web Site) SYDEX1 SYDEX1\mapi (Default Web Site) SYDEX1\OAB (Default Web Site) SYDEX1\EWS (Default Web Site) SYDEX1\Microsoft-Server-ActiveSync (Default Web Site) SYDEX1\ecp (Default Web Site) SYDEX1\owa (Default Web Site) SYDEX1\Rpc (Default Web Site) DB03\MELEX1 SYDEX2\owa (Default Web Site) SYDEX1 SYDEX1\mapi (Default Web Site) SYDEX1\OAB (Default Web Site) SYDEX1\EWS (Default Web Site) SYDEX1\Microsoft-Server-ActiveSync (Default Web Site) SYDEX1\ecp (Default Web Site) DB01\MELEX1 DB04\MELEX1 DB03\MELEX1 DB02\MELEX1 DB01\MELEX1 MELEX2 MELEX1 SYDEX2 SYDEX1
Looks like “Administrator” has been messing with virtual directories and databases. Let’s make it even more useful and look at the time stamp, cmdlet, and objects modified by “Administrator” in the last 30 days.
[PS] C:\>$logentries | Select RunDate,CmdletName,CmdletParameters,ObjectModified
RunDate CmdletName CmdletParameters ObjectModified
------- ---------- ---------------- --------------
27/08/2015 11:51:35 AM Set-ClientAccessServer {AutoDiscoverServiceIntern... SYDEX2
27/08/2015 11:51:33 AM Set-MapiVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX2\mapi (Default Web S...
27/08/2015 11:51:19 AM Set-OabVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX2\OAB (Default Web Site)
27/08/2015 11:50:51 AM Set-WebServicesVirtualDire... {ExternalUrl, InternalUrl,... SYDEX2\EWS (Default Web Site)
27/08/2015 11:49:55 AM Set-ActiveSyncVirtualDirec... {ExternalUrl, InternalUrl,... SYDEX2\Microsoft-Server-Ac...
27/08/2015 11:48:56 AM Set-EcpVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX2\ecp (Default Web Site)
27/08/2015 11:47:39 AM Set-OwaVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX2\owa (Default Web Site)
27/08/2015 11:46:13 AM Set-OutlookAnywhere {DefaultAuthenticationMeth... SYDEX2\Rpc (Default Web Site)
27/08/2015 11:46:02 AM Set-ClientAccessServer {AutoDiscoverServiceIntern... SYDEX1
27/08/2015 11:46:02 AM Set-MapiVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX1\mapi (Default Web S...
27/08/2015 11:46:01 AM Set-OabVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX1\OAB (Default Web Site)
27/08/2015 11:45:59 AM Set-WebServicesVirtualDire... {ExternalUrl, InternalUrl,... SYDEX1\EWS (Default Web Site)
27/08/2015 11:45:57 AM Set-ActiveSyncVirtualDirec... {ExternalUrl, InternalUrl,... SYDEX1\Microsoft-Server-Ac...
27/08/2015 11:45:53 AM Set-EcpVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX1\ecp (Default Web Site)
27/08/2015 11:45:47 AM Set-OwaVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX1\owa (Default Web Site)
27/08/2015 11:45:40 AM Set-OutlookAnywhere {DefaultAuthenticationMeth... SYDEX1\Rpc (Default Web Site)
27/08/2015 11:40:03 AM Set-ClientAccessServer {AutoDiscoverServiceIntern... SYDEX2
27/08/2015 11:40:01 AM Set-MapiVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX2\mapi (Default Web S...
27/08/2015 11:39:47 AM Set-OabVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX2\OAB (Default Web Site)
27/08/2015 11:39:25 AM Set-WebServicesVirtualDire... {ExternalUrl, InternalUrl,... SYDEX2\EWS (Default Web Site)
27/08/2015 11:38:34 AM Set-ActiveSyncVirtualDirec... {ExternalUrl, InternalUrl,... SYDEX2\Microsoft-Server-Ac...
27/08/2015 11:37:34 AM Set-EcpVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX2\ecp (Default Web Site)
27/08/2015 11:36:06 AM Set-OwaVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX2\owa (Default Web Site)
27/08/2015 11:35:59 AM Update-MailboxDatabaseCopy {DeleteExistingFiles, Conf... DB04\MELEX1
27/08/2015 11:34:38 AM Set-OutlookAnywhere {DefaultAuthenticationMeth... SYDEX2\Rpc (Default Web Site)
27/08/2015 11:34:26 AM Set-ClientAccessServer {AutoDiscoverServiceIntern... SYDEX1
27/08/2015 11:34:25 AM Set-MapiVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX1\mapi (Default Web S...
27/08/2015 11:34:24 AM Set-OabVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX1\OAB (Default Web Site)
27/08/2015 11:34:21 AM Set-WebServicesVirtualDire... {ExternalUrl, InternalUrl,... SYDEX1\EWS (Default Web Site)
27/08/2015 11:34:18 AM Set-ActiveSyncVirtualDirec... {ExternalUrl, InternalUrl,... SYDEX1\Microsoft-Server-Ac...
27/08/2015 11:34:12 AM Set-EcpVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX1\ecp (Default Web Site)
27/08/2015 11:34:08 AM Set-OwaVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX1\owa (Default Web Site)
27/08/2015 11:34:00 AM Set-OutlookAnywhere {DefaultAuthenticationMeth... SYDEX1\Rpc (Default Web Site)
27/08/2015 11:27:33 AM Update-MailboxDatabaseCopy {DeleteExistingFiles, Conf... DB03\MELEX1
27/08/2015 11:26:30 AM Set-OwaVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX2\owa (Default Web Site)
27/08/2015 11:25:14 AM Set-ClientAccessServer {AutoDiscoverServiceIntern... SYDEX1
27/08/2015 11:25:07 AM Set-MapiVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX1\mapi (Default Web S...
27/08/2015 11:25:04 AM Set-OabVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX1\OAB (Default Web Site)
27/08/2015 11:25:02 AM Set-WebServicesVirtualDire... {ExternalUrl, InternalUrl,... SYDEX1\EWS (Default Web Site)
27/08/2015 11:24:59 AM Set-ActiveSyncVirtualDirec... {ExternalUrl, InternalUrl,... SYDEX1\Microsoft-Server-Ac...
27/08/2015 11:24:47 AM Set-EcpVirtualDirectory {ExternalUrl, InternalUrl,... SYDEX1\ecp (Default Web Site)
27/08/2015 11:13:30 AM Update-MailboxDatabaseCopy {DeleteExistingFiles, Conf... DB01\MELEX1
27/08/2015 10:42:12 AM Suspend-MailboxDatabaseCopy {Identity} DB04\MELEX1
27/08/2015 10:42:11 AM Suspend-MailboxDatabaseCopy {Identity} DB03\MELEX1
27/08/2015 10:42:11 AM Suspend-MailboxDatabaseCopy {Identity} DB02\MELEX1
27/08/2015 10:42:09 AM Suspend-MailboxDatabaseCopy {Identity} DB01\MELEX1
26/08/2015 12:10:24 PM Set-ExchangeServer {ProductKey, Identity} MELEX2
26/08/2015 12:10:23 PM Set-ExchangeServer {ProductKey, Identity} MELEX1
26/08/2015 12:10:22 PM Set-ExchangeServer {ProductKey, Identity} SYDEX2
26/08/2015 12:10:11 PM Set-ExchangeServer {ProductKey, Identity} SYDEX1
Summary
As you can see administrator audit logging contains a lot of valuable information to help you identify who has been making changes in your Exchange organization. You can also see why it is important to limit administrative rights to only the minimum that each IT team member needs to do their job.
This article Use Admin Audit Logging to Track Changes Made by Administrators is © 2015 ExchangeServerPro.com
Get more Exchange Server tips at ExchangeServerPro.com
