Skip to main content


Showing posts from September, 2009

Exchange 2007 Folder Audit Log Powershell Gui Version 1.0

One of the cool things about new features when they are introduced in Service packs is it gives us all a lot more ways of seeing whats happening day to day within our Email environments and hopefully gives us some windows into miss and poor configuration problems. The folder access audit logs are cool but buried in the windows event logs can be hard to use to gain the clarity that might be useful. The good thing is with a little bit of powershell, a bit of imagination and some time you can bash together something usefull that will extract that information from the logs, parse (or if your using 2008 xpath). Then group that information into a more usable form and present it back into a Winform so you can interact with it. I've put together actually two scripts to do this the main difference between these scripts is the method they use to access the log. The first script uses WMI to access the Exchange Audit logs (a couple of weeks okay i said this wouldn't work which i was comple

Showing information about a Exchange 2003 user in Powershell

Haven't posted any 2003 scripts for a while so here's one that might be useful especially if your looking at doing a bit of documentation before a migration. There are a few tricks when your using ADSI scripts to get information eg if you want to get the OU check the parent object of the userObject. Or if you want to get the Storage Group use the Parent of the MailStore object. If you want to work out quotas check both the mailstore and the user object. To put this all together into a script that takes the username as a parameter it looks like this I've put a download of this code here . param([String] $samaccountname) $root = [ADSI]'LDAP://RootDSE' $dfDefaultRootPath = "LDAP://" + $root.DefaultNamingContext.tostring() $dfRoot = [ADSI]$dfDefaultRootPath $gfGALQueryFilter = "(&(&(&(& (mailnickname=*)(objectCategory=person)(objectClass=user)(samaccountname=" + $samaccountname + ")))))" $dfsearcher = new-object System.Dire

Getting the Exchange Auditing event logs programmatically

With the release of Exchange 2007 SP2 some great new auditing options are now possible to let you see how and when rights are being used within your exchange environment. More importantly in a serious situation you could use these features to provide some forensic auditing of what was being accessed in your exchange store when some suspicious activity may have happened. The first place to start if your looking at auditing in Exchange 2007 SP2 is to read the very detailed white paper that has been published . In this post I'm going to look at the options for reading the new Exchange Auditing event logs where folder access information is written. The Exchange Auditing logs themselves if your using Windows 2008 use the new evtx event log framework and are stored under the Application and Services Logs group With the new .net 3.5 System.Diagnostics.Eventing.Reader class now allows you to easily parse back the information store
All sample scripts and source code is provided by for illustrative purposes only. All examples are untested in different environments and therefore, I cannot guarantee or imply reliability, serviceability, or function of these programs.

All code contained herein is provided to you "AS IS" without any warranties of any kind. The implied warranties of non-infringement, merchantability and fitness for a particular purpose are expressly disclaimed.