Exchange 2010 Administrator Audit Log – search logs

We wrote how to enable Administrator Audit Log on Exchange 2010 in last post:

Exchange 2010 Administrator Audit Log – configuration


Now we want to explain how can we search logs or export them.


We can see logs and export them using:

  • ECP console
  • CMDlet Search-AdminAuditLog or New-AdminAuditLogSearch


Using ECP console to search and export logs:

Run ECP console and choose:

  1. In the drop-down list box next to Mail > Options, click My Organization from the Select what to manage list.
  2. Click Reporting, click Auditing, and then click Export Configuration Changes.
  3. Select a date range using the Start Date and End Date fields.
  4. Select the recipient who should receive the XML file using the Select users to email the audit log to field.
  5. Click Export.

Continue reading

Exchange 2010 Administrator Audit Log – configuration


If your Exchange organization has more than one administrators, and sometimes you need to know who did what, then you should use Exchange Administrator Audit Log.

When you enable Administrator Audit Log it will help you to keep a track of the changes made to any Exchange configuration like:

creating new mailbox, changing receive connectors, transport rules etc.


Those information are quite important during troubleshooting your Exchange environment.

In Microsoft Exchange 2010 RTM, Administrator Audit Log logged all operations to mailbox. When you enable audit log then you need to use parameter AdminAuditLogMailbox to specify mailbox to store all audit logs.

But with SP1 for Exchange 2010 you don’t need to use mailbox anymore.

Now all logs are stored in a hidden, dedicated arbitration mailbox.


To check if Administrator Audit Log is enabled we should use following command:

Get-AdminAuditLogConfig | FL


we will receive information about audit settings like below:

Continue reading