How to Track Who Accessed Mailboxes in Exchange Server 2016

Authored by: Support.com Tech Pro Team

1. Introduction

How to Track Who Accessed Mailboxes in Exchange Server 2016

 

2. Step 1. Check whether Mailbox Audit Logging is enabled

Go to the ‘Start’ menu and open the ‘Exchange Management Shell.’ In the Shell, type the below command to get the ‘Exchange Server.’ In the shell, type the following command to verify whether auditing is enabled on a mailbox.

Get-Mailbox –Identity TestUser1 | Format-List *audit*

If Audit is enabled, you will get a true value. Under AuditAdmin and Audit Delegate, you will get all the functions the mailbox can perform.

3. Step 2. Enable-Mailbox Audit Logging

To enable mailbox audit logging, type the below command in Exchange Management Shell:

Set-Mailbox -Identity “TestUser1” -AuditEnabled $True

This command enables audit for TestUser1

4. Step 3. Enable-Mailbox audit logging for users and operations

Administrators, delegates or owners can enable mailbox auditing for specified operations. Run the below commands in Exchange Management Shell:

Set-Mailbox -Identity “TestUser1” -AuditAdminHardDelete, SoftDelete -AuditEnabled $TrueSet-Mailbox -Identity “TestUser1” -AuditDelegateSendAsSendOnBehalf -AuditEnabled $TrueSet-Mailbox -Identity” TestUser1” -AuditOwnerMoveToDeletedItems –AuditEnabled $True

5. Step 4. Get-Mailbox audit log data for one or more mailboxes

To get the audit log data by email (for TestUser1 mailbox), run:

New-MailboxAuditLogSearch –Mailboxes “TestUser1” –LogonTypes admin, Delegate –StartDate 07/12/2017 –EndDate 11/12/2017 –StatusMailRecipientsadministrator@www.domain.com –ShowDetails

Here, you will get information on logon details, start and end audit date, and recipients mail address on which you will receive mail.