Posted in : Exchange, Office 365 By Joel Jerkin

2 years ago

Enabling Mailbox Auditing as an Exchange Administrator has for a long time been something you have need to do manually.
Yesterday, Microsoft announced that they will be enabling mailbox auditing by default for all user mailboxes using Office 365 and Exchange Online. This is a welcome change, so you don’t need to manually enable mailbox auditing on new users or use a script that enables that for all users in Office 365 and Exchange Online.
For on-premises Exchange environment, there is no such feature (hopefully it will come with a future Cumulative Update) so you still need to change it manually. Either you add this as a process when creating a new mailbox, or you can use a PowerShell script as an Schedule Task on your Exchange Server that will automatically enable auditing.
Here’s an example on how such script can look like, and you can find it as a download here.

#requires -version 3
<#
    .SYNOPSIS
        This script will enable owner mailbox access auditing on every mailbox in your Exchange environment
    .DESCRIPTION
        This script will enable owner mailbox access auditing on every mailbox in your Exchange environment
    .NOTES
	Credits to:
        https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/EnableMailboxAuditing.ps1
#>
[cmdletbinding()]
Param(
    [string]$LogFolder = "C:\Scripts\Set-MailboxAuditingOnprem\Logs",
    [int]$LogCount = 100
)
Begin{
    $ScriptName = $MyInvocation.MyCommand.Name
    $StartDate = Get-date -Format "yyyy-MM-dd_HHmmss"
    If(-not(Test-Path -Path $LogFolder -PathType Container)){
        New-Item $LogFolder -ItemType Container -Force
    }
    [string]$SummaryLog = "$($LogFolder)\$($ScriptName)_Summary_$StartDate.log"
    [string]$VerboseLog = "$($LogFolder)\$($ScriptName)_Verbose_$StartDate.log"
    $SummaryLogFiles = (Get-ChildItem "$($LogFolder)\$($ScriptName)_Summary_*.log" | Sort-Object Name)
    if ($SummaryLogFiles.Count -gt $LogCount) {
        $SummaryLogFiles[0..($SummaryLogFiles.Count-$LogCount)] | Remove-Item -Force
    }
    $VerboseLogFiles = (Get-ChildItem "$($LogFolder)\$($ScriptName)_Verbose_*.log" | Sort-Object Name)
    if ($VerboseLogFiles.Count -gt $LogCount) {
        $VerboseLogFiles[0..($VerboseLogFiles.Count-$LogCount)] | Remove-Item -Force
    }
    Function Write-Log{
        Param(
            [string]$Message,
            [validateset('Verbose','Error','Information')]
            [string]$Level = 'Verbose',
            [string]$SummaryLog = $SummaryLog,
            [string]$VerboseLog = $VerboseLog
        )
        Switch($Level){
            'Verbose'{
                Write-Verbose $Message
                "$(Get-date -Format "yyyy-MM-dd HH:mm:ss") : $Level : $Message" | Out-File -FilePath $VerboseLog -Append
            }
            'Error'{
                Write-Error $Message
                "$(Get-date -Format "yyyy-MM-dd HH:mm:ss") : $Level : $Message" | Out-File -FilePath $VerboseLog -Append
                "$(Get-date -Format "yyyy-MM-dd HH:mm:ss") : $Level : $Message" | Out-File -FilePath $SummaryLog -Append
            }
            'Information'{
                Write-Verbose $Message
                "$(Get-date -Format "yyyy-MM-dd HH:mm:ss") : $Level : $Message" | Out-File -FilePath $VerboseLog -Append
                "$(Get-date -Format "yyyy-MM-dd HH:mm:ss") : $Level : $Message" | Out-File -FilePath $SummaryLog -Append
            }
        }
    }
}
Process{
    Try{
        Write-Log -Message "Script started." -Level Information
        # Import Exchange PowerShell Snapin
        Add-PSSnapin *Exchange*
        # Get all mailboxes where AuditEnabled is $False
        $Mailboxes = Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"}
        # Enabling auditing on all mailboxes
        if ($mailboxes.count -gt 0)
        {
            foreach ($mailbox in $mailboxes)
            {
                if ($mailbox.AuditEnabled -eq $false)
                {
                    Write-Log -Message "Enable auditing on $($mailbox.SamAccountName)" -Level Information
                    Set-Mailbox -Identity $mailbox.Identity -AuditEnabled $true -AuditLogAgeLimit 365 -AuditOwner Create,HardDelete,MailboxLogin,MoveToDeletedItems,SoftDelete,Update
                }
                else {
                    Write-Log -Message "Auditing already enabled on $($mailbox.SamAccountName)" -Level Verbose
                }
            }
         }
         else {
            Write-Log -Message "All mailboxes already have auditing enabled" -Level Verbose
         }
    }
    Catch{
        $Line = $_.InvocationInfo.ScriptLineNumber
        $Offset = $_.InvocationInfo.OffsetInLine
        Write-Debug $_
        Write-Log -Message $_ -Level Error
        Write-Log -Message "Error occurred at line: $line and offset $offset"
    }
}
End{
    Write-Log -Message "Script finished." -Level Information
}

Tags : Exchange, Exchange Online, Exchange Server, Office 365

Add comment

Your comment will be revised by the site if needed.