Using Exchange Server 2013 Mailbox Audit Logging

In many organizations the Exchange Server administrator will encounter a situation where there is a need to determine who took action on an item in a mailbox. This will most often be about actions taken by delegates of a person’s mailbox, or people who use a shared mailbox.

For example:

  • An email message from a customer was never responded to, and the manager of the customer service team wants to know which person in the team move or deleted the message from the shared mailbox
  • Information sent to an executive via email has leaked, and there is an investigation into which of the executive’s delegates read the email message

Note that in these situations it is assumed that delegates or a team of people already have full access to the mailbox, or read-only access to the mailbox. Based on that assumption the focus is now on which of those people took action on specific mail items.

Exchange Server 2013 can log access to mailboxes by the owner, delegates, and administrators, using a feature called mailbox audit logging.

How Mailbox Audit Logging Works

When mailbox audit logging is enabled for a mailbox, audit log entries are stored in the Recoverable Items folder of the mailbox, which is not visible to the mailbox user via Outlook or other client interfaces.

Log entries are written for actions taken by the mailbox owner, delegates, or by administrators, depending on the audit logging configuration applied to the mailbox. The mailbox audit log entries are then retained for a configurable period of time.

Mailbox audit logging has the following default configuration in Exchange Server 2013:

  • Mailbox audit logging is disabled
  • Audit log entries are retained for 90 days
  • No owner actions are logged
  • Some delegate and administrator actions are logged

A default mailbox audit logging configuration for an Exchange 2013 mailbox looks like this:

[PS] C:\>Get-Mailbox alan.reid | fl *audit*

AuditEnabled     : False
AuditLogAgeLimit : 90.00:00:00
AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate    : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner       : {}

Note: The AuditAdmin settings refer to access via mechanisms such as eDiscovery searches, mailbox import/export operations, or tools such as MFCMAPI. If an administrator is granted permission to a mailbox and accesses it then those actions will be logged according to the AuditDelegate settings.

Enabling/Disabling Mailbox Audit Logging

For mailboxes in your organization that you wish to enable audit logging on you can do so using the Set-Mailbox cmdlet.

[PS] C:\>Set-Mailbox alan.reid -AuditEnabled $true

Typical candidates for mailbox audit logging are executives or VIPs who handle sensitive information, and who have delegates, or shared mailboxes used by teams of people.

In some organizations it may be preferable to enable mailbox audit logging for large numbers of mailbox users, or perhaps even all mailbox users. You can pipe the output of any Get-Mailbox query into Set-Mailbox to enable mailbox audit logging.

[PS] C:\>Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled:$true

If you need to ensure that mailbox audit logging is automatically enabled for all new mailboxes when they are created then you achieve that using the Scripting Agent.

For more information see:

Impact of Audit Logging on Mailbox Size

Mailbox audit log data is stored in a folder named Audits under the Recoverable Items folder of the mailbox, so it is hidden from the user. The default retention is 90 days, and some administrators may be concerned about the storage overhead for all of that audit logging data.

For more information on this see How Much Database Storage Does Mailbox Audit Logging Consume?

Searching Mailbox Audit Logs

In these further articles I will demonstrate some methods for searching and using the mailbox audit logging data.

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. Hi Paul,

    When i am trying to enable audit log in power shell getting below error.

    A positional parameter cannot be found that accepts argument ‘-AuditEnabled’.

    Exchange version: 14.3

    Please suggest how it can done.

    Thanks in advance.

  2. Tried using this command but no luck
    Set-Mailbox xxxxx -Identity -AuditEnabled $true

    Getting Error:
    A positional parameter cannot be found that accepts argument ‘xxxxxxx’.
    + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-Mailbox

    Thanks

  3. Hi Paul,

    Thanks for reply.

    But after giving the same syntax i am getting the below error:

    A positional parameter cannot be found that accepts argument ‘-AuditEnabled’.
    + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-Mailbox

    Thanks in advance

    • What is the exact command you are running?

      • Tried with below two commands:

        Set-Mailbox -Identity (userid) -AuditEnabled $true

        Set-Mailbox -Identity (emailaddress) -AuditEnabled $true

        • Try

          Get-Mailbox userid

          If that retrieves the mailbox successfully then try piping it to Set-Mailbox

          Get-Mailbox userid | Set-Mailbox -AuditEnabled:$true

          You can also use alias instead of userid.

          If that still isn’t working, then which version of Exchange are you running?

        • Hi Paul,

          When using get-mailbox userid (Aliasname) i am able to retrieve the mailbox successfully.

          But when using with the pipe command getting the below error:

          Get-Mailbox (aliasname or userid) |Set-Mailbox -AuditEnabled:$true
          A positional parameter cannot be found that accepts argument ‘True’.
          + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException
          + FullyQualifiedErrorId : PositionalParameterNotFound,Set-Mailbox

          Exchange: 2010
          Version: 14.3
          Build: 123.4
          Edition: Standard

        • I’m starting to think this may be a permissions issue with your admin account not having the required Exchange permissions to manage this setting.

        • Thanks for response. It was due to permission issue only i have now successfully enabled audit log. After enabling when i am trying to use this command i am getting the below error.

          Search-MailboxAuditLog -Identity “Help Desk” -LogonTypes Delegate -StartDate 1/14/2014 -EndDate 1/15/2014

          The term ‘Search-MailboxAuditLog’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

          For this what are the permission need to be delegate for a user. Or do we need to install any package for this.

          Thanks in advance.

  4. Arnold Mashoko says:

    Thanks Paul
    I have found your article very informative and helpful.

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.