Search the Role Group Changes or Administrator Audit Logs

Applies to: Exchange Server 2013

Topic Last Modified: 2012-11-20

You can search the administrator audit logs to discover who made changes to organization, server, and recipient configuration. This can be helpful when you're trying to track the cause of unexpected behavior, to identify a malicious administrator, or to verify that compliance requirements are being met. For more information about administrator audit logging, see Administrator Audit Logging.

If you want to search the mailbox audit log, see Mailbox Audit Logging.

What do you need to know before you begin?

Estimated time to complete each procedure: less than 5 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "View-only administrator audit logging" entry in the Exchange and Shell Infrastructure Permissions topic.
Administrator audit logging must be enabled for audit log entries to be stored in the audit log. For information about how to enable audit logging, see Manage Administrator Audit Logging.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard Shortcuts in the Exchange Admin Center.

Tip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection

What do you want to do?

Use the EAC to run the management role group changes report

If you want to know what changes to management role group membership have been made to role groups in your organization, you can use the Administrator Role Group report in the Exchange Administration Center (EAC). Using the Administrator Role Group report, you can view a list of role groups that have changed during a specified date range. You can also select the specific role groups you want to view changes for.

In the EAC, select Compliance management > Auditing, and then click Run an administrator role group report.
Select a date range using the Start date and End date fields.
Click Select role groups, and then select the role groups you want to show changes for or leave this field blank to search for changes in all role groups.
Click Search.

If any changes are found using the criteria you specified, a list of changes will be displayed in the results pane. Clicking a role group displays the changes to the role group in the details pane.

Use the EAC to export the administrator audit log

If you want to create an XML file that contains changes made to your organization, you can use the Export Administrator Audit Log report in the EAC. Using the Export Administrator Audit Log report, you can specify a date range to search for audit log entries that contain changes made by users you specify. The XML file is then sent to a recipient as an email attachment. The maximum size of the XML file is 10 megabytes (MB).

Note:
Outlook Web App doesn't allow you to open XML attachments by default. You can either configure Exchange to allow XML attachments to be viewed using Outlook Web App, or you can use another email client, such as Microsoft Outlook, to view the attachment. For information about how to configure Outlook Web App to allow you to view an XML attachment, see View or Configure Outlook Web App Virtual Directories.

Note:

Outlook Web App doesn't allow you to open XML attachments by default. You can either configure Exchange to allow XML attachments to be viewed using Outlook Web App, or you can use another email client, such as Microsoft Outlook, to view the attachment. For information about how to configure Outlook Web App to allow you to view an XML attachment, see View or Configure Outlook Web App Virtual Directories.

In the EAC, select Compliance management > Auditing, and then click Export the administrator audit log.
Select a date range using the Start date and End date fields.
In the Send the auditing report to field, click Select users and then select the recipient you want to send the report to.
Click Export.

If any log entries are found using the criteria you specified, an XML file will be created and sent as an email attachment to the recipient you specified.

Use the Shell to search for audit log entries

You can use the Shell to search for audit log entries that meet the criteria you specify. For a list of search criteria, see Administrator Audit Logging. This procedure uses the Search-AdminAuditLog cmdlet and displays search results in the Shell. You can use this cmdlet when you need to return a set of results that exceeds the limits defined on the New-AdminAuditLogSearch cmdlet or in the EAC Audit Reporting reports.

If you want to send audit log search results in an email attachment to a recipient, see Use the Shell to search for audit log entries and send results to a recipient later in this topic.

To search the audit log for criteria you specify, use the following syntax.

	Copy Code
Search-AdminAuditLog - Cmdlets <cmdlet 1, cmdlet 2, ...> -Parameters <parameter 1, parameter 2, ...> -StartDate <start date> -EndDate <end date> -UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$True \| $False >

Copy Code

Search-AdminAuditLog - Cmdlets <cmdlet 1, cmdlet 2, ...> -Parameters <parameter 1, parameter 2, ...> -StartDate <start date> -EndDate <end date> -UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$True | $False >

Note:
The Search-AdminAuditLog cmdlet returns a maximum of 1,000 log entries by default. Use the ResultSize parameter to specify up to 250,000 log entries. Or, use the value `Unlimited` to return all entries.

This example performs a search for all audit log entries with the following criteria:

Start date 08/04/2012
End date 10/03/2012
User IDs davids, chrisd, kima
Cmdlets Set-Mailbox
Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize, MaxReceiveSize

	Copy Code
Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize, MaxReceiveSize -StartDate 08/04/2012 -EndDate 10/03/2012 -UserIds davids, chrisd, kima

Copy Code

Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize, MaxReceiveSize -StartDate 08/04/2012 -EndDate 10/03/2012 -UserIds davids, chrisd, kima

This example searches for changes made to a specific mailbox. This is useful if you're troubleshooting or you need to provide information for an investigation. The following criteria are used:

Start date 05/01/2012
End date 10/03/2012
Object ID contoso.com/Users/DavidS

	Copy Code
Search-AdminAuditLog -StartDate 05/01/2012 -EndDate 10/03/2012 -ObjectID contoso.com/Users/DavidS

If your searches return many log entries, we recommend that you use the procedure provided in Use the Shell to search for audit log entries and send results to a recipient later in this topic. The procedure in that section sends an XML file as an email attachment to the recipients you specify, enabling you to more easily extract the data you're interested in.

For detailed syntax and parameter information, see Search-AdminAuditLog.

View details of audit log entries

The Search-AdminAuditLog cmdlet returns the fields described in the “Audit log contents section of Administrator Audit Logging. Of the fields returned by the cmdlet, two fields, CmdletParameters and ModifiedProperties, contain additional information that isn't viewable by default.

To view the contents of the CmdletParameters and ModifiedProperties fields, use the following steps. Or, you can use the procedure in Use the Shell to search for audit log entries and send results to a recipient later in this topic to create an XML file.

This procedure uses the following concepts:

Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet, and store the results in a variable using the following command.
Copy Code
$Results = Search-AdminAuditLog <search criteria>
Each audit log entry is stored as an array element in the variable $Results. You can select an array element by specifying its array element index. Array element indexes start at zero (0) for the first array element. For example, to retrieve the 5th array element, which has an index of 4, use the following command.
Copy Code
$Results[4]
The previous command returns the log entry stored in array element 4. To see the contents of the CmdletParameters and ModifiedProperties fields for this log entry, use the following commands.
Copy Code
$Results[4].CmdletParameters $Results[4].ModifiedProperties
To view the contents of the CmdletParameters or ModifiedParameters fields in another log entry, change the array element index.

	Copy Code
$Results = Search-AdminAuditLog <search criteria>

	Copy Code
$Results[4]

	Copy Code
$Results[4].CmdletParameters $Results[4].ModifiedProperties

Use the Shell to search for audit log entries and send results to a recipient

You can use the Shell to search for audit log entries that meet the criteria you specify, and then send those results to a recipient you specify as an XML file attachment. The results are sent to the recipient within 15 minutes. For a list of search criteria, see Administrator Audit Logging.

Note:
Outlook Web App doesn't allow you to open XML attachments by default. You can either configure Exchange to allow XML attachments to be viewed using Outlook Web App, or you can use another email client, such as Microsoft Outlook, to view the attachment. For information about how to configure Outlook Web App to allow you to view an XML attachment, see View or Configure Outlook Web App Virtual Directories.

Note:

To search the audit log for criteria you specify, use the following syntax.

	Copy Code
New-AdminAuditLogSearch -Cmdlets <cmdlet 1, cmdlet 2, ...> -Parameters <parameter 1, parameter 2, ...> -StartDate <start date> -EndDate <end date> -UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$True \| $False > -StatusMailRecipients <recipient 1, recipient 2, ...> -Name <string to include in subject>

Copy Code

New-AdminAuditLogSearch -Cmdlets <cmdlet 1, cmdlet 2, ...> -Parameters <parameter 1, parameter 2, ...> -StartDate <start date> -EndDate <end date> -UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$True | $False > -StatusMailRecipients <recipient 1, recipient 2, ...> -Name <string to include in subject>

This example performs a search for all audit log entries with the following criteria:

Start date 08/04/2012
End date 10/03/2012
User IDs davids, chrisd, kima
Cmdlets Set-Mailbox
Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize, MaxReceiveSize

The command sends the results to the davids@contoso.com SMTP address with "Mailbox limit changes" included in the subject line of the message.

	Copy Code
New-AdminAuditLogSearch -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize, MaxReceiveSize -StartDate 08/04/2012 -EndDate 10/03/2012 -UserIds davids, chrisd, kima -StatusMailRecipients davids@contoso.com -Name "Mailbox limit changes"

Copy Code

New-AdminAuditLogSearch -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize, MaxReceiveSize -StartDate 08/04/2012 -EndDate 10/03/2012 -UserIds davids, chrisd, kima -StatusMailRecipients davids@contoso.com -Name "Mailbox limit changes"

Note:
The report that the New-AdminAuditLogSearch cmdlet generates can be a maximum of 10 MB in size. If the search you perform returns a report larger than 10 MB, change the search criteria you specified. For example, reduce the size of the date range and run multiple reports, each with a portion of the original date range.

For more information about the format of the XML file, see Administrator Audit Log Structure.

For detailed syntax and parameter information, see New-AdminAuditLogSearch.