Exchange 2010 SP1 changes the way Administrator Audit Logging (AAL) works to some degree. To see how Exchange 2010 RTM Administrator Audit Logging works, check out a great article by my fellow MVP Neil Hobson here. This article is not going to explain what AAL is, just what the changes are.
In Exchange 2010 RTM, when you configured AAL, you had to specify what mailbox you were going to store data in. This first required you to enable AAL and then to set the AAL Mailbox. An example of this (which is also shown in Neil’s article) is done by running the following command:
As an Administrator, you then had to give yourself full mailbox access to [email protected]. For example, if your user account was [email protected], you would give yourself full mailbox access using the following cmdlet:
Add-MailboxPermission [email protected] -User [email protected] -AccessRights FullAccess
You can now open the mailbox via OWA or Outlook to view the Administrator Audit Logs.
The Changes (Good Changes)
All the steps above I have just explained completely change in SP1. In short, the changes include:
- No more specified Mailbox exists. In fact, the parameter AdminAuditLogMailbox has been removed. It now uses a hidden mailbox (an arbitration mailbox to be precise) and you cannot change this.
- All reporting is done in the Exchange Control Panel (ECP) which then creates a report based on the option you specify and sends it to the mailbox of choice.
Administrator Audit Logging Mailbox
As you can see, there is no AdminAuditLogMailbox parameter anymore.
As stated earlier, the data is now being stored in an Arbitration Mailbox. I welcome this change as it is less administrative work to have an additional mailbox when there’s already an arbitration mailbox with unlimited quota that can be storing this data instead.
Exchange Control Panel (ECP)
Logging into the ECP as an Administrator, we have the options to Manage Your Organization. In fact, if you are a normal user with no elevated RBAC roles, you will not even see the option to Manage Your Organization.
In fact, let’s take a look at my regular user account and we’ll see what I’m talking about.
Now, let’s take a look at my administrator account (yes, I have a regular user account and a separate administrator account, and you should too – it’s called principle of least privilege and protected groups – aka adminsdholder issues).
As you can see, I have an option to Manage My Organization. The other options in that drop down include:
- Manage Myself
- Manage Another User
But as we know, depending on the Exchange 2010 Administrative Model known as RBAC, some options may or may not appear in the ECP due to ECPs modular nature. So if a user who has been added to the “Recipient Management” Group logs into ECP, they will see Manage My Organization but they may not see the Auditing. So the question, what Role Groups out of the box have any kind of access to Auditing? Well, I did some PowerShell kung-fu and easily ran a one-liner (Powershell rocks!) and searched for which groups have access to this Auditing feature. The PowerShell command I ran was:
The result was the following:
We can see that some of our Role Groups (Organization Management and Exchange Organization Administrators) have several iterations of the Role. This is due to the deleation type. Regular means that the the Group has access to the commands that are specified in the role Audit Logs. DelegatingOrgWide means the Role Group (Organization Management and Exchange Organization Administrators) have the power to assign the role to other Role Groups.
Moving on… now that we are in Manage My Organization Mode, we can see there is a Roles & Auditing Section now with an Auditing subsection. From there, we can see that we can view some Auditing Reports. These include the following reports:
- Run a non-owner mailbox access report – allows you to search mailbox audit logs for mailboxes that have been accessed or changed by someone other than the owner.
- Run a litigation hold report – allows you to search the administrator audit log for users who’ve had litigation hold enabled or disabled for their mailbox.
- Run an administrator role group report – allows you to search the administrator audit log for changes made to role groups, which are used to assign administrative permissions to users.
- Export mailbox audit logs – allows you to search for and export information about non-owner access to a mailbox during a specific time period.
- Export the administrator audit log – allows you to search for and export information about configuration changes made in your organization.
The jist of it is that the first 3 that start with Run show the results within ECP itself. The two Export options will allow you to specify a mailbox in the organization for which a report will be sent. The report will look just as it did in RTM; an XML style result.
Let’s run through an Export example. Let’s say a change was made in the organization and it’s not showing up in the logs. We suspect that a rogue administrator had disabled Administrator Audit Logging. We know this issue happened sometime between July 21st and July 23rd. So we go into the Export the administrator audit log section.
We set the Start date to July 21st and the End date to July 23rd. We then click Select users so we can choose the mailbox the report gets sent to.
I search for my mailbox and choose my mailbox as the mailbox to send the export to.
We then get the export report in e-mail.
The report can take several minutes and even longer depending on how much of a time period we are searching through. Once the report has been received, we can save the attached XML file and open it up in an XML Editor. I chose to use XML Notepad. We can see who the rogue admin was (it was me!… only doing my test of course).
We can also see what was done and what the old and new value were.
<Parameter Name=”AdminAuditLogEnabled” Value=”False” />
</CmdletParameters>
<ModifiedProperties>
<Property Name=”AdminAuditLogFlags” OldValue=”AdminAuditLogEnabled” NewValue=”None” />
<Property Name=”AdminAuditLogEnabled” OldValue=”True” NewValue=”False” />
</ModifiedProperties>
</Event>
urooj says
i wan to generate a report as per OU , plaese help me in this regard
Imran says
Great Article, one question.
Is it possible to know the size of that arbitrary mailbox used for auditlogs?
ETB says
How long does it take for the Mailbox Audit log to be sent? I did a search of the past 5 days and it hasn't returned anything in 3 hours. If I run a a non-owner mailbox access report, it takes 30 seconds.
@imkottees says
Hi Elan,
Great post, excel seems to be easier to find the rouge ;-)
Jez Marsh says
Great post,
Are you aware of a way to automate exporting the audit log? This would be handy for customer sites.
Zoltan says
Mano,
Right at the top of the article: "No more specified Mailbox exists. In fact, the parameter AdminAuditLogMailbox has been removed." In fact, read the *whole* article, not just the top line. Elan makes this point (that is, no more AdminAuditLogMailbox in SP1) very clear, you just have to take the effort to read it.
Excellent article, Elan – thanks!
Cheers
mano says
Hi
can you please guide how to configure adminauditmailbox in exchange 2010 sp1, i have configured but unable to get the results, eben the -adminauditmailbox parameter is not available.
Please suggest
Frank says
Hi Elan,
Do you know whether self-managed modification in the ECP will be audited?
e.g. someone change him language settings.
HopCount says
Thanks for the post my problem is solved
catastrophicerrors says
I can say a very good article
mdrooij says
Nice article Elan!