Sunday, March 23, 2014

001

The Audit mailbox option is a very useful feature that enables us to get detailed information about all the operations, and the activities related to the “Mailbox” object. Generally speaking, there are couples of “audit type." In this article, I would like to focus upon the audit type described as: “Non-Owner Mailbox Access." This option enables us to get detailed information about: who did what and when relating to a specific mailbox.

The mailbox Auditing include 3 levels:

Non-Owner Mailbox Access audit

The Non-Owner Mailbox Access audit is not enabled by default. The meaning is, that in case we want to use the “audit” option, we will need to “turn on” the audit. The option to audit mailbox is suitable for a scenario such as: when user complain that a mail is “disappearing” from his mailbox, and he have no idea how did this happened. Another scenario could be that we suspect the “someone” try to create unauthorized access to a user's mailbox and so on.

To optimize the access to the data in the document, you can use the option of “Expand All” or “Collapse All” for displaying\hiding all of the sub sections (colored in gray) or use the “+” sign in each of the chapter headers (colored in blow).

white space

Information and help related to PowerShell

In case that you are a novice in the PowerShell environment, you can use the following link to get more information about the “first steps” such as: downloading the required PowerShell software components, how to use the PowerShell console, running a PowerShell script, etc.
Link Table

PowerShell Naming Conventions & general information

If you want to get more information about the Naming Conventions that we use for this article and get some general tips about: how to work with the PowerShell, read the article: Help and additional information - o365info.com PowerShell articles

Create remote PowerShell session

Before we can use the required PowerShell commands, we need to download and install the office 365 cmdlets + create remote PowerShell session to office 365 or Exchange Online. If you need more information about how to create a remote PowerShell session read the following articles: Part 2: Connect to Office 365 by using Remote PowerShell and Part 3: Connect to Exchange online by using Remote PowerShell

How to use a PowerShell script

Most of the PowerShell articles include a PowerShell script that simplifies the use of the PowerShell commands. If you want to get more information about: How to use a PowerShell script, read the article: Connect to office 365 and Exchange online using a script

PowerShell command and Script languish in more details

If you are new to the PowerShell world, you can read more information about PowerShell in office 365 environment in the article: The Power of PowerShell


txt

1  - Enable/Disable Mailbox Audit ( Non-Owner Mailbox Access Report )

Enable Mailbox Audit (Non-Owner Mailbox Access Report) for a specific mailbox

Code Box
 Set-Mailbox <Identity> -AuditEnabled $True
 Set-Mailbox John -AuditEnabled $True

Enable Mailbox Audit (Non-Owner Mailbox Access Report) for ALL mailbox’s (Bulk mode)

Code Box
 $UserMailboxes = Get-Mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} $UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $True}

Disable Mailbox Audit (Non-Owner Mailbox Access Report) for a specific mailbox

Code Box
 Set-Mailbox <Identity> -AuditEnabled $False
 Set-Mailbox John -AuditEnabled $False

Disable Mailbox Audit (Non-Owner Mailbox Access Report) for ALL mailbox’s (Bulk mode)

Code Box
 $UserMailboxes = Get-Mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} $UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $False}

2 - Set the Type of Mailbox Audit + Non default Audit operations

Set Mailbox Audit – AuditAdmin

Code Box
 Set-Mailbox <Identity> -AuditAdmin <list of operations> 
 Set-Mailbox John -AuditAdmin Create,FolderBind,SendAs,SendOnBehalf,SoftDelete,HardDelete,Update,Move,MoveToDeletedItems

Set Mailbox Audit – Audit Delegate

Code Box
 Set-Mailbox <Identity> –AuditDelegate <list of operations>
 Set-Mailbox John -AuditDelegate Create,FolderBind,SendAs,SendOnBehalf,SoftDelete,HardDelete,Update,Move,MoveToDeletedItems

Enable Audit + Set Mailbox Audit for AuditAdmin and AuditDelegate

Code Box
Set-mailbox John -AuditEnabled $True -AuditDelegate Create,FolderBind,SendAs,SendOnBehalf,SoftDelete,HardDelete,Update,Move,MoveToDeletedItems -AuditAdmin Create,FolderBind,SendAs,SendOnBehalf,SoftDelete,HardDelete,Update,Move,MoveToDeletedItems

3 - Display information about Audit settings

Display information about Audit logging for a specific mailbox - AuditDelegate

Code Box
 Get-Mailbox <Identity> | Select-Object –ExpandProperty AuditDelegate 
 Get-Mailbox John | Select-Object –ExpandProperty AuditDelegate

Display information about Audit logging for a specific mailbox - AuditAdmin

Code Box
 Get-Mailbox <Identity> | Select-Object -ExpandProperty AuditAdmin
 Get-Mailbox John | Select-Object -ExpandProperty AuditAdmin

Display information about recipient Audit folder

Code Box
 Get-MailboxFolderStatistics <Identity> | ? {$_.Name -eq "Audits" -and $_.FolderType -eq "Audits"} | FT Identity, ItemsInFolder, FolderSize -AutoSize 
 Get-MailboxFolderStatistics John | ? {$_.Name -eq "Audits" -and $_.FolderType -eq "Audits"} | FT Identity, ItemsInFolder, FolderSize -AutoSize

Display information about all of the mailboxes that are Audited

Code Box
 Get-Mailbox | Where {$_.AuditEnabled -eq “$True”}

View administrator Audit logging settings

Code Box
 Get-AdminAuditLogConfig

4 - Display information about mailbox and folder permissions

Display information about Audit logging for a specific mailbox - AuditDelegate

Code Box
 Get-Mailboxfolder <Identity> -GetChildren | Get-MailboxFolderPermission | Where-Object {-not ($_.AccessRights -like '*None*')
 Get-Mailboxfolder John -GetChildren | Get-MailboxFolderPermission | Where-Object {-not ($_.AccessRights -like '*None*')

5 - Search for information in the Audit Log

Display all the Audit information that was collected for a specific mailbox

Code Box
  Search-MailboxAuditLog <Identity> -LogonTypes Admin,Delegate -ShowDetails
 Search-MailboxAuditLog  John -LogonTypes Admin,Delegate -ShowDetails

Display Audit information for “Send As” activities

Code Box
 Search-MailboxAuditLog <Identity> -LogonTypes Admin,Delegate -ShowDetails | Where-Object {$_.Operation -eq "Sendas"} |select MailboxResolvedOwnerName, LastAccessed, Operation,OperationResult,LogonUserDisplayName,LogonType ,ItemSubject,FolderPathName,InternalLogonType,SourceItemSubjectsList,SourceItemFolderPathNamesList,ClientProcessName,ClientInfoString
 Search-MailboxAuditLog John -LogonTypes Admin,Delegate -ShowDetails | Where-Object {$_.Operation -eq "Sendas"} | Select MailboxResolvedOwnerName, LastAccessed, Operation,OperationResult,LogonUserDisplayName,LogonType ,ItemSubject,FolderPathName,InternalLogonType,SourceItemSubjectsList,SourceItemFolderPathNamesList,ClientProcessName,ClientInfoString

Display Audit information about a mailbox from specific date range

Code Box
 Search-MailboxAuditLog <Identity> -LogonTypes Admin,Delegate –StartDate <mm/dd/yy> –EndDate <mm/dd/yy> –ResultSize <Number>
 Search-MailboxAuditLog John -LogonTypes Admin,Delegate -StartDate 05/20/2013 -EndDate 05/25/2013 -ResultSize 2000

Display Audit information about a mailbox from specific date range for “HardDelete” activities

Code Box
 Search-MailboxAuditLog <Identity> -LogonTypes Admin,Delegate –StartDate <mm/dd/yy> –EndDate <mm/dd/yy> –ResultSize <Number> | Where-Object {$_.Operation -eq "HardDelete"}
 Search-MailboxAuditLog John -LogonTypes Admin,Delegate -StartDate 05/20/2013 -EndDate 05/25/2013 -ResultSize 2000 | Where-Object {$_.Operation -eq "HardDelete"}

Display the content of the administrator audit log (show all events)

Code Box
 Search-AdminAuditLog

Search the contents of the administrator Audit log

Code Box
 Search-AdminAuditLog – Cmdlets <cmdlet 1, cmdlet 2, ...> –Parameters <Parameter 1, parameter 2, ...> –StartDate <Start date> –EndDate <End date> –UserIds <user IDs> –ObjectIds <object IDs> -IsSuccess <$True | $False >
 Search-MailboxAuditLog  John -LogonTypes Admin,Delegate -StartDate 05/20/2014 -EndDate 05/25/2014 -ResultSize 2000  Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendsize, MaxReceiveSize -StartDate 05/20/2014 -EndDate  05/25/2014 -UserIds John,Alice,Bob  -IsSuccess $True 

Search the contents of the administrator Audit log - look for specific user

Code Box
 Search-AdminAuditLog -UserIds <Identity>
 Search-AdminAuditLog -UserIds John

6 - Audit General Settings

Configure Outlook Web App to allow XML attachments

Code Box
 Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes '.rpmsg','.xlsx','.xlsm','.xlsb','.tiff','.pptx','.pptm','.ppsx','.ppsm','.docx','.docm','.zip','.xls','.wmv','.wma','.wav','.vsd','.txt','.tif','.rtf','.pub','.ppt','.png','.pdf','.one','.mp3','.jpg','.gif','.doc','.bmp','.avi','.xml'

Set Audit retention number of days

Code Box
 Set-Mailbox <Identity> -AuditLogAgeLimit <Days>
 Set-Mailbox John -AuditLogAgeLimit 30

Suppressing Audits for Specific Mailboxes

Code Box
 Set-MailboxAuditBypassAssociation <Identity> -AuditBypassEnabled $True
 Set-MailboxAuditBypassAssociation John -AuditBypassEnabled $True

Mailbox Auditing: Export Audit information to XML File + Send the result to Email address

Code Box
 New-MailboxAuditLogSearch –Name <String> -LogonTypes Admin,Delegate –StartDate <mm/dd/yy> –EndDate <mm/dd/yy> –StatusMailRecipients <Email Address>
 New-MailboxAuditLogSearch -Name "Audit information for all mailboxes" -LogonTypes Admin,Delegate -StartDate 05/20/2014 -EndDate 05/25/2014 -StatusMailRecipients John@o365info.com

Administrator Auditing: Export Audit information to XML File + Send the result to Email address

Code Box
 New-AdminAuditLogSearch –Name <String> -LogonTypes Admin,Delegate –StartDate <mm/dd/yy> –EndDate <mm/dd/yy> –StatusMailRecipients <Email Address>
 New-AdminAuditLogSearch -Name "Audit information for all mailboxes" -LogonTypes Admin,Delegate -StartDate 05/20/2014 -EndDate 05/25/2014 -StatusMailRecipients John@o365info.com

Script Box

For your convent, I have “Wrapped” all of the PowerShell commands that was reviewed, In a PowerShell Script named: Audit.ps1

Download


Additional reading

Now it’s Your Turn!
We relay like to know what is your opinion on the Article

Written by

We are Creative Blogger Theme Wavers which provides user friendly, effective and easy to use themes. Each support has free and providing HD support screen casting.

0 comments:

Post a Comment

Feature Label 3

What's Hot in
Links and information ?

© 2013 eyaltest11. All rights resevered. Designed by Templateism