none
Exchange 2007 Change Permission Logging RRS feed

  • Question

  • Hello,
    Is it possible to log when some user (Exchange Admin) change permission for AD object (add-adpermission) or Mailbox object (add-mailboxpermission)?


    Thanks
    Jan
    Wednesday, February 24, 2010 10:48 AM

Answers

  • Hi,

    Yes if your admins use EMS then u can automate this Start-Transcript Logging

    This way each and every thing will be logged to the file which you specify in Start-Transcript command. 

    I have put 

    Start-Transcript -path "C:\\Logs\PSLogs.txt" -append

    in Exchange.ps1 which exists at "C:\Program Files\Microsoft\Exchange Server\Bin"

    This is the script file which EMS use to initialize itself. So whenever I open EMS, logging is started automatically because of Start-Transcript command in Exchange.ps1.

    You can put this command at the end of function get-tip in Exchange.ps1.

    Note: do copy the Exchange.ps1 before modification, in case a backup needed later.

    Regards,



    Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com
    • Proposed as answer by Elvis Wei Monday, March 1, 2010 7:08 AM
    • Edited by Laeeq Qazi Monday, March 1, 2010 8:53 AM
    • Marked as answer by Jan Matejka Monday, March 1, 2010 11:43 AM
    Wednesday, February 24, 2010 6:41 PM

All replies

  • Would the Start-Transcript cmdlet be of any help here?

    http://www.pro-exchange.eu/modules.php?$1&name=News&file=article&sid=831


    It's not an automatic logging tool for all Admins however.
    Oliver Moazzezi | Exchange MVP, MCSA:M, MCTS:Exchange 2010, BA (Hons) Anim | http://www.exchange2007.com | http://www.exchange2010.com | http://www.cobweb.com |
    • Proposed as answer by Elvis Wei Monday, March 1, 2010 7:08 AM
    Wednesday, February 24, 2010 5:30 PM
  • Hi,

    Yes if your admins use EMS then u can automate this Start-Transcript Logging

    This way each and every thing will be logged to the file which you specify in Start-Transcript command. 

    I have put 

    Start-Transcript -path "C:\\Logs\PSLogs.txt" -append

    in Exchange.ps1 which exists at "C:\Program Files\Microsoft\Exchange Server\Bin"

    This is the script file which EMS use to initialize itself. So whenever I open EMS, logging is started automatically because of Start-Transcript command in Exchange.ps1.

    You can put this command at the end of function get-tip in Exchange.ps1.

    Note: do copy the Exchange.ps1 before modification, in case a backup needed later.

    Regards,



    Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com
    • Proposed as answer by Elvis Wei Monday, March 1, 2010 7:08 AM
    • Edited by Laeeq Qazi Monday, March 1, 2010 8:53 AM
    • Marked as answer by Jan Matejka Monday, March 1, 2010 11:43 AM
    Wednesday, February 24, 2010 6:41 PM
  • Thank you very much, I will test it.

    But there is another weak point when Domain Admin change AD permission for Send As and Receive As:-(

    Or what about Exchange Management Console? How to log these steps done via Exchange Console?

    Transcipt is great function, but only for EMS.

    Thanks a lot!
    Jan
    • Edited by Jan Matejka Thursday, February 25, 2010 7:30 AM extend
    Thursday, February 25, 2010 7:23 AM
  •  

    So far as I know, Start-Transcript can be the only way to do the job. In Exchange 2010, there is a new feature called administrator audit logging to meet the goal:

     

    http://technet.microsoft.com/en-us/library/dd335052.aspx

     

    Thanks,

     

    Elvis

     

    Monday, March 1, 2010 7:08 AM
  • Hello and Thank you. This way is not convenient for me. When admin runs powershell console on PC I cannot audit these events.

    I have got this whitepaper:
    http://technet.microsoft.com/en-us/library/ee331009(EXCHG.80).aspx

    I hope this helps me:-)
    Thanks
    Jan
    Monday, March 1, 2010 11:42 AM