RSS Subscription 167 Posts and 2,643 Comments

Changes in Exchange 2010 SP1 Administrator Audit Logging

Exchange 2010 SP1 changes the way Administrator Audit Logging (AAL) works to some degree.  To see how Exchange 2010 RTM Administrator Audit Logging works, check out a great article by my fellow MVP Neil Hobson here.  This article is not going to explain what AAL is, just what the changes are.

In Exchange 2010 RTM, when you configured AAL, you had to specify what mailbox you were going to store data in.  This first required you to enable AAL and then to set the AAL Mailbox.  An example of this (which is also shown in Neil’s article) is done by running the following command:

Set-AdminAuditLogConfig –AdminAuditLogMailbox auditmailbox@shudnow.net

As an Administrator, you then had to give yourself full mailbox access to auditmailbox@shudnow.net.  For example, if your user account was elanadmin@shudnow.net, you would give yourself full mailbox access using the following cmdlet:

Add-MailboxPermission auditmailbox@shudnow.net -User elanadmin@shudnow.net -AccessRights FullAccess

You can now open the mailbox via OWA or Outlook to view the Administrator Audit Logs.

The Changes (Good Changes)

All the steps above I have just explained completely change in SP1.  In short, the changes include:

  • No more specified Mailbox exists.  In fact, the parameter AdminAuditLogMailbox has been removed.  It now uses a hidden mailbox (an arbitration mailbox to be precise) and you cannot change this.
  • All reporting is done in the Exchange Control Panel (ECP) which then creates a report based on the option you specify and sends it to the mailbox of choice.

Administrator Audit Logging Mailbox

As you can see, there is no AdminAuditLogMailbox parameter anymore.

As stated earlier, the data is now being stored in an Arbitration Mailbox. I welcome this change as it is less administrative work to have an additional mailbox when there’s already an arbitration mailbox with unlimited quota that can be storing this data instead.

Exchange Control Panel (ECP)

Logging into the ECP as an Administrator, we have the options to Manage Your Organization.  In fact, if you are a normal user with no elevated RBAC roles, you will not even see the option to Manage Your Organization.

In fact, let’s take a look at my regular user account and we’ll see what I’m talking about.

Now, let’s take a look at my administrator account (yes, I have a regular user account and a separate administrator account, and you should too – it’s called principle of least privilege and protected groups – aka adminsdholder issues).

As you can see, I have an option to Manage My Organization.  The other options in that drop down include:

  • Manage Myself
  • Manage Another User

But as we know, depending on the Exchange 2010 Administrative Model known as RBAC, some options may or may not appear in the ECP due to ECPs modular nature.  So if a user who has been added to the “Recipient Management” Group logs into ECP, they will see Manage My Organization but they may not see the Auditing.  So the question, what Role Groups out of the box have any kind of access to Auditing? Well, I did some PowerShell kung-fu and easily ran a one-liner (Powershell rocks!) and searched for which groups have access to this Auditing feature.  The PowerShell command I ran was:

Get-ManagementRole | Get-ManagementRoleAssignment | Where-Object {$_.Role -like “*audit*”} | FT Role,RoleAssigneeName -wrap -autosize

The result was the following:

We can see that some of our Role Groups (Organization Management and Exchange Organization Administrators) have several iterations of the Role.  This is due to the deleation type.  Regular means that the the Group has access to the commands that are specified in the role Audit Logs.  DelegatingOrgWide means the Role Group (Organization Management and Exchange Organization Administrators) have the power to assign the role to other Role Groups.

Moving on… now that we are in Manage My Organization Mode, we can see there is a Roles & Auditing Section now with an Auditing subsection.  From there, we can see that we can view some Auditing Reports.  These include the following reports:

  • Run a non-owner mailbox access report – allows you to search mailbox audit logs for mailboxes that have been accessed or changed by someone other than the owner.
  • Run a litigation hold report – allows you to search the administrator audit log for users who’ve had litigation hold enabled or disabled for their mailbox.
  • Run an administrator role group report – allows you to search the administrator audit log for changes made to role groups, which are used to assign administrative permissions to users.
  • Export mailbox audit logs – allows you to search for and export information about non-owner access to a mailbox during a specific time period.
  • Export the administrator audit log - allows you to search for and export information about configuration changes made in your organization.

The jist of it is that the first 3 that start with Run show the results within ECP itself.  The two Export options will allow you to specify a mailbox in the organization for which a report will be sent.  The report will look just as it did in RTM; an XML style result.

Let’s run through an Export  example. Let’s say a change was made in the organization and it’s not showing up in the logs.  We suspect that a rogue administrator had disabled Administrator Audit Logging.  We know this issue happened sometime between July 21st and July 23rd.  So we go into the Export the administrator audit log section.

We set the Start date to July 21st and the End date to July 23rd.  We then click Select users so we can choose the mailbox the report gets sent to.

I search for my mailbox and choose my mailbox as the mailbox to send the export to.

We then get the export report in e-mail.

The report can take several minutes and even longer depending on how much of a time period we are searching through. Once the report has been received, we can save the attached XML file and open it up in an XML Editor.  I chose to use XML Notepad.  We can see who the rogue admin was (it was me!… only doing my test of course).

We can also see what was done and what the old and new value were.

<Parameter Name=”AdminAuditLogEnabled” Value=”False” />

</CmdletParameters>

<ModifiedProperties>

<Property Name=”AdminAuditLogFlags” OldValue=”AdminAuditLogEnabled” NewValue=”None” />

<Property Name=”AdminAuditLogEnabled” OldValue=”True” NewValue=”False” />

</ModifiedProperties>

</Event>

Share

15 Responses to “Changes in Exchange 2010 SP1 Administrator Audit Logging”

  1. on 04 Aug 2010 at 9:36 ammdrooij

    Nice article Elan!

  2. [...] This post was mentioned on Twitter by ShayLevy and Michel de Rooij, Elan Shudnow. Elan Shudnow said: Changes in #Exchange 2010 SP1 Administrator Audit Logging http://bit.ly/9ALkE4 [...]

  3. on 08 Oct 2010 at 2:28 pmExchange 2010 SP1 FAQ | Jonson Yang

    [...] Changes in Exchange 2010 SP1 Administrator Audit Logging http://www.shudnow.net/2010/08/03/changes-in-exchange-2010-sp1-administrator-audit-logging/ This entry was posted in Exchange 2010. Bookmark the permalink. ← Exchange [...]

  4. on 27 Dec 2010 at 8:56 amcatastrophicerrors

    I can say a very good article

  5. on 07 Feb 2011 at 6:23 pmHopCount

    Thanks for the post my problem is solved

  6. on 24 Jun 2011 at 3:15 amFrank

    Hi Elan,

    Do you know whether self-managed modification in the ECP will be audited?

    e.g. someone change him language settings.

  7. on 12 Aug 2011 at 11:18 ammano

    Hi

    can you please guide how to configure adminauditmailbox in exchange 2010 sp1, i have configured but unable to get the results, eben the -adminauditmailbox parameter is not available.

    Please suggest

  8. on 16 Dec 2011 at 1:49 pmZoltan

    Mano,

    Right at the top of the article: "No more specified Mailbox exists. In fact, the parameter AdminAuditLogMailbox has been removed." In fact, read the *whole* article, not just the top line. Elan makes this point (that is, no more AdminAuditLogMailbox in SP1) very clear, you just have to take the effort to read it.

    Excellent article, Elan – thanks!

    Cheers

  9. on 10 Feb 2012 at 7:38 amJez Marsh

    Great post,

    Are you aware of a way to automate exporting the audit log? This would be handy for customer sites.

  10. [...] modified. If you want to read up on administrator audit logging, there are some great posts on it here, and over here. I’ve also blogged about it a couple times, here and [...]

  11. [...] modified. If you want to read up on administrator audit logging, there are some great posts on it here, and over here. I’ve also blogged about it a couple [...]

  12. on 25 Jul 2012 at 2:52 am@imkottees

    Hi Elan,

    Great post, excel seems to be easier to find the rouge ;-)

  13. on 26 Sep 2012 at 10:48 amETB

    How long does it take for the Mailbox Audit log to be sent? I did a search of the past 5 days and it hasn't returned anything in 3 hours. If I run a a non-owner mailbox access report, it takes 30 seconds.

  14. on 02 Dec 2012 at 1:06 pmImran

    Great Article, one question.
    Is it possible to know the size of that arbitrary mailbox used for auditlogs?

  15. on 16 Feb 2013 at 5:08 amurooj

    i wan to generate a report as per OU , plaese help me in this regard

Trackback this post | Feed on Comments to this post

Leave a Reply