Automating Exchange Mailbox Audit Logging with Exchange 2010

Understanding the details of user mailbox access is very important to knowing what is going on within an Exchange environment. Being able to proactively audit mailbox access has become critical to the technology world we live in today due to the constant threat of security vulnerabilities. Environmental threats can come from inside or outside of our organizations.

So, what kind of information can you obtain if you are auditing user mailboxes?

When auditing is enabled, Exchange Administrators will know when a mailbox owner, delegate or administrator mailbox login has occurred, and what actions were taken while the user was logged in. This includes:

• Whether a mailbox folder was accessed

• If a message was permanently deleted or just sent to the deleted items folder

• If an email was sent based upon the Send As permission

• If an email was sent using Send On Behalf permission

• Whether an email was moved to another folder

• If the message properties were updated

• And more

The audit logs will be available for 90 days unless the default setting is changed to something more appropriate for your organization.

In order to begin auditing mailboxes, Microsoft has provided us the ability to enable this functionality on a user by user basis.  This can be done simply by opening the Exchange Management Shell and running the following command. 

Set-Mailbox -identity FillInUserAlias -AuditEnabled $True

Automating for the Users in your Organization

Depending on the size of your organization it may not be realistic to set this up manually for each person in your organization, especially if you want to enable auditing for everyone employed there.  Below you will find the PowerShell syntax required to accomplish this.  This script can be run as a scheduled task to enable auditing for your organization’s mailboxes and then can be run routinely through a scheduled task to ensure that any new users in your environment also have auditing enabled.  Please note that the script and scheduled task detail below assumes that mailbox auditing for newly added users will occur every evening.

To get started, copy the following data into notepad and save as ExchangeAudit.ps1, also make sure the .ps1 file is saved to C:\Tasks on your Exchange server.  Based upon this location and the additional locations noted in the script, you need to create a similar folder structure for this script to work.

 $auditreport = Get-Mailbox -resultsize unlimited | where {$_.AuditEnabled -eq $false} | select Alias | export-csv "C:\Tasks\ExchangeAuditReport\AddedAuditing_$((Get-Date).ToString('MM-dd-yyyy_hh-mm-ss')).csv"

$auditfile = Get-Mailbox -resultsize unlimited | where {$_.AuditEnabled -eq $false} | select Alias | export-csv -Path "C:\Tasks\ExchangeAudit\mailboxes.csv" -NoTypeInformation

$data = get-content "C:\Tasks\ExchangeAudit\mailboxes.csv" | % {$_ -replace '"', ""} | select -Skip 1

if($data -eq $null)

{

$ErrorActionPreference = "Stop"

}

else

{

foreach ($a in $data)

{

Set-Mailbox -identity $a -AuditEnabled $True

}

}

The script variables explained:

$auditreport will create a date stamped csv file that can be historically referenced to see who auditing was enabled and what date this was completed.

$auditfile is a separate file that will be overwritten each time the script runs.  This file will have a list of all the users that the script will run against.

$data will get the relevant content from the csv file and enable auditing for the users in the list

$ErrorActionPreference will end the script if there are not any users in the file

Now that we have our PowerShell script we will want to create a Windows Server 2008 scheduled task to run the script on the interval you choose.  For this example, it will be setup to run nightly.

Create a scheduled Task to execute the newly created exchangeaudit.ps1

1. Request or create a service account to run the scheduled task.  This account will need administrator access to Exchange and should not be used for anything else.
2. Sign into a server that has the Exchange Management Tools and Exchange Management Shell installed.
3. Open Task Scheduler through the server Control Panel.
4. In the Task Scheduler console expand the tree on the left hand side until you see Microsoft.  From there, right-click on Microsoft and choose “Create Task”. 
5. Give your scheduled task a name and click the “Change User or Group” button to set this up to run as the service account that was setup in step 1 of this section. Note:  If you signed into the Exchange server with this service account then the user account will not need to be changed.
6. Then check the radio button marked to “Run whether user is logged on or not”.
7. On the Triggers Tab, in the bottom left corner click the “New” button and create an appropriate schedule for your task. Note:  This frequency should be determined by how often you want to check for newly created user accounts that will require auditing.
8. Click on the Actions Tab and then in the bottom left hand corner click the “New” button.
9. Fill in the Program/Script and Add Arguments Fields.  See below for the syntax for each field and adjust accordingly for your environment    Program/Script:  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  Add Arguments (Optional): -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; . ‘C:\Tasks\Exchange Audit\ExchangeAudit.ps1’
10. Skip the conditions Tab.
11. Click on the settings tab and adjust to your preferences; however, please note that the default settings are typically ok.
12. Click Ok.
13. You will be prompted to enter the password for the account used for the scheduled task.

Upon completion of this series of steps this script will run on the scheduled interval of your choice and enable auditing for all users in your organization. Then, as it runs nightly, it will continue to enable auditing for newly created accounts in your organization on a daily basis.  This will include a data stamped report that will provide the user Alias for the users that had their auditing enabled for that day.

HAPPY AUTOMATING!

If you find yourself building Exchange reports manually, you may want to learn more about Mailscape's Exchange reporting ability with over 200 commonly requested built-in reports.