This cmdlet helps answer the age old questions: Who deleted that distribution group? Who deleted that mailbox? Who changed that setting? This applies to Exchange 2013 and Exchange 2016.
Unknown by some but Exchange has auditing enabled for all tasks, whether you use PowerShell or the Exchange Admin Center to perform the task and you can search this audit log using the Search-AdminAuditLog cmdlet. Make sure you are a member of the Organization Management or Records Management groups or have the View-Only Audit Logs role assigned.
Who deleted a Distribution Group?
In this example, we’ll look for all the instances where a distribution group called finance was deleted. We’ll search for all entries since midnight on 19th November 2015:
Search-AdminAuditLog -Cmdlets Remove-DistributionGroup -StartDate “11/19/2015 00:00” | ? {$_.ObjectModified -match “finance”}
Here we can see that the Administrator user (see the Caller property) has deleted the Finance distribution group which was originally in the path litwareinc.com/Users/Finance (ObjectModified property) at 19/11/2015 22:24.
Who changed a setting?
In this example, we are looking for the user who changed any of the InternalDNSServers settings on the transport server configuration:
Search-AdminAuditLog -Cmdlets Set-TransportService -Parameters InternalDNSServers
Here we can see that there are two entries in the log but it would be great if we could get the exact values that were used. To do this, run the command below:
Search-AdminAuditLog -Cmdlets Set-TransportService -Parameters InternalDNSServers | % {$_;$_.CmdletParameters}
Here we can see the audit log entry followed by the parameters used when the command was run just after it. To explain the above example – the Administrator user set the InternalDNSServers parameter to 4.2.2.2 on LITEX02 at 14:36 on 15/11/2015 then at 14:40 on the same day, he set the InternalDNSServers parameter back to null.
Quite a useful way to tell what was done to a server in case there are issues after a change is made.
What did that administrator do?
In this next example, I’ll demonstrate how to figure out all the tasks the administrator user or another user has performed since 14th November. Run this command:
Search-AdminAuditLog -UserIds Administrator -StartDate “11/14/2015 00:00” | FT RunDate,OriginatingServer,CmdletName,Succeeded
Here you can see all the cmdlets the Administrator user has run. Note that you can see which commands were run on all servers in the organization. In this organization there is an Exchange 2016 server, LITEX02 and an Exchange 2013 server, LITEX01.
Conclusion
In this post, I’ve demonstrated how to search the admin audit log to find out who has deleted objects or changed settings from within the Exchange Admin Center or the Exchange Management Shell. This applies to both Exchange 2013 and 2016.