A user had a problem and her Exchange administrator asked for help:
The user is sharing her calendar with a few people and her appointments are being changed. I suspect her assistant is accidentally changing the appointment but the assistant denies touching the appointments. Is there a way to log what account accesses the mailbox and what changes are made to the contents?
You can enable auditing in Exchange 2010 and Exchange 2013.
To do this, you need to use the Set-Mailbox cmdlet and the AuditEnabled parameter:
Set-Mailbox alias -AuditEnabled $true
Use this cmdlet to verify auditing was enabled:
Get-Mailbox dianep | fl *audit*
AuditEnabled : True AuditLogAgeLimit : 90.00:00:00 AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete...} AuditDelegate : {Update, SoftDelete, HardDelete, SendAs...} AuditOwner : {}
To view the logs, use the Search-Mailbox cmdlet:
Search-MailboxAuditLog alias -LogonTypes Admin,Delegate -ShowDetails
Add the StartData, EndDate, and ResultSize parameters to limit the number of records returned:
Search-MailboxAuditLog alias -LogonTypes Admin,Delegate -ShowDetails -StartDate 12/1/2012 -EndDate 12/7/2012 -ResultSize 1000
Everyone who accesses the mailbox and does anything will be listed in the log. The log will include what operation they did, including copy, create, hard delete, soft delete, moved to deleted items, move, send as, send on behalf, and update. Also included is whether the operation succeeded or failed.
The log for each item is quite a bit longer than this example, but as you can see from this snippet, Billy Jackson successfully deleted a contact at 9:59 AM.
Operation : SoftDelete OperationResult : Succeeded LogonType : Delegate FolderPathName : \Contacts ClientInfoString : Client=MSExchangeRPC ClientProcessName : OUTLOOK.EXE ClientVersion : 14.0.6126.5000 InternalLogonType : Delegated LogonUserDisplayName : Billy Jackson LastAccessed : 12/6/2012 9:59:02 AM
More Information
For more information about audit logging, see
Search-MailboxAuditLog
Understanding Mailbox Audit Logging
Hi Diane, I wish to either prevent my engineers from changing their calendar entries or audit any changes anyone has made to a calendar entry. Basically I have 18 engineers, all with full AD & Exchange accounts and I only want Head Office staff to be able to add, remove or modify entries in each of the 18 calendars. Is the above the right way to go or should I be looking at another option?
Thanks
Toni
You won;t be able to do it with permissions- well, you can change permissions so some users can only change the events they made. Exchange 2013 adds some auditing features, so you can see who did what, but i don't think it was pushed back to Exchange2010.