Announcement

Collapse
No announcement yet.

How to audit specific cmdlets for specific user-ID using set-AdminAuditLogConfig?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to audit specific cmdlets for specific user-ID using set-AdminAuditLogConfig?

    I'm getting mail-exchange admin audit logs. The steps I performed are
    step 1

    Set-AdminAuditLogConfig –AdminAuditLogCmdlets *


    step 2
    Set-AdminAuditLogConfig –AdminAuditLogParameters *

    step 3

    Set-AdminAuditLogConfig –AdminAuditLogEnabled $true

    step 4


    Search-AdminAuditLog -StartDate 01/22/2014 -EndDate 04/23/2014 –ResultSize Unlimited | Export-Csv “c:\test-Admin-Audit-Results.csv”

    On output I'm very confused because I'm getting in caller userid other then admins but normal users as well. For e.g
    caller column for one rows is mydomain/Users/nadmin
    The other row would be caller mydomain/Users/john

    The cmdlets names would be non-admin entries be e.g
    • Enable-Mailbox
    • Set-MailboxMessageConfiguration


    Point of confusion is I thought extracting mail-admin audit logs will ONLY produce events/action for user nadmin why does it bring non-admin user activities? Is it because of how I supplied the configuration parameters? Secondly,Is it not possible to define what needs to get audited using


    Set-AdminAuditLogConfig but only for a separate audit role the reason Is If i change the settings it will only limit audit logging to certain cmdlets , I want a role for eg. security auditor who is auditing for x number of cmdlets for y user and other other cmdlets (non-audit important ones) can be kept in original role of ms-exchange admin without any interruption. Can such a thing be achieved?

    To workaround currently, Im extracting using search command to bring me logs for userid admin. Please suggest.
    Thanks.
Working...
X