More Information Optional script parameters To do this, run the following cmdlet: Set-Mailbox -AuditOwner $none Rerun the Run-MailboxAuditLogSearcher.ps1, and review the data.Īfter the troubleshooting is complete, disable owner audit logging. To do this, run the following cmdlet: Set-Mailbox -AuditOwner "Create,HardDelete,Move,MoveToDeletedItems,SoftDelete,Update" If the result is False, run the following cmdlet in Windows PowerShell: Set-Mailbox -AuditEnabled $trueĮnable the owner audit logging. To do this, run the following cmdlet: Get-Mailbox | ft AuditEnabled To enable owner audit logging, follow these steps:ĭetermine whether mailbox audit logging is enabled. This is because the audit log entries are stored in the mailbox, and this may cause the mailbox dumpster to exceed the size limit. It should be used for a limited time period, approximately two weeks. It should only be used if you have to investigate an action by the owner of the mailbox. For more information about the columns that are exported, see the 'More Information' section. The most useful columns are exported, and some of these columns are merged to make the output easier to review. You do not have to view the FolderBind operations when you investigate an item that is updated or deleted. The FolderBind operation indicates the times at which the mailbox is accessed by a non-owner. By default, the FolderBind entries are filtered out, and the following operation types remain: This example message indicates that the search process has found 11 entries. If items are found after the script runs, you receive a message that resembles the following: For a description of these parameters, see the 'More Information' section. You can use several optional parameters to customize the search. You are prompted to indicate a start date and end date for the search. In Microsoft 365, mailbox audit logging entries are retained in the mailbox for 90 days. Step 2: Customize a mailbox audit log search For example, if the current date is, and you want to include the current day in your search, enter as the end date. To search for entries from the current day, add one day to the end-date value in the prompt window.If you run the script without parameters, you will be prompted for the following default parameters:.Locate the directory in which you saved the script, and then run the script.\Run-MailboxAuditLogSearcher.ps1 Start Windows PowerShell, and then connect to Windows Remote PowerShell. In the File name box, type Run-MailboxAuditLogSearcher.ps1, and then click Save. $SearchResults = | select $LogParameters) Write-host -fore green 'Filtered to $($SearchREsults.Count) Entries' Write-host -fore green 'Removing FolderBind operations.' Write-host -fore green '$($SearchREsults.Count) Total entries Found' $SearchResults = $Mailbox -StartDate $StartDate -EndDate $EndDate -LogonTypes Owner, Admin, Delegate -ShowDetails -resultsize 50000) Write-host -fore green 'Searching Mailbox Audit Logs.' $SearchResults | export-csv $OutFileName -notypeinformation -encoding UTF8 Write-host -fore green "Posting results to file: $OutfileName" $OutFileName = "AuditLogResults$Date.csv" ]$LogParameters = 'LogonUserDisplayName', 'LastAccessed', 'DestFolderPathName', 'FolderPathName', 'ClientInfoString', 'ClientIPAddress', 'ClientMachineName', 'ClientProcessName', 'ClientVersion', 'LogonType', 'MailboxResolvedOwnerName', 'OperationResult') The code uses the search-mailboxAuditLog command that is part of Microsoft Exchange Server. Start Notepad, and then copy the following code into the file. Microsoft Online Services provides the script as a convenience to Microsoft 365 customers without warranty, expressed or implied. If errors occur when a script is run, the content of the script should be used as an example to create a customized script for a particular customer environment. Microsoft Online Services scripts are generic, and they should be usable in all customer environments. Customers are encouraged to use the script that's provided by Microsoft Online Services to help in certain investigations.
0 Comments
Leave a Reply. |