Any PowerShell experts kicking about?
I need/want to retrieve an 'access log' against a specific mailbox for the last 30 days.
Can I?
How would I?
Any PowerShell experts kicking about?
I need/want to retrieve an 'access log' against a specific mailbox for the last 30 days.
Can I?
How would I?
Actual mailbox access? For Exchange 2003 that's recorded as event ID 1009 in the Application event log.
Our mail server has a max size Application event log of 100MB and it only contains a max of two days worth of events....
For actual AD account logons, the LastLogonTimestamp is the least unreliable, but it can still take up to 30 days depending on the DC, replication times, and what type of logon it was. That's also just one timestamp attribute for a user - it's not an access log. Domain controller event logs might be your best bet, but they're nothing to do with mailboxes & the logs only last so long, just a few hours on weekdays on our servers.
For OWA logons, the IIS event logs are excellent and do include usernames, and probably don't include (many?) false positives. OWA is also used for the SSL proxy feature of Outlook, which might be useful depending on your particular environment.
Last edited by smargh; 25-10-2011 at 08:48 PM.
LastLogon is a single field entry and does exactly what it says, get's the last logon attempt, successful or not. Without auditing turned on you're a little stuck.
However, you can use;
Get-LogonStatistics -Identity <LogonableObjectIdParameter> [-DomainController <Fqdn>]
from within EMS to pull some figures which will help you build up a picture. It has to be run on every domain controller in the organisation though to capture all events.
There are currently 1 users browsing this thread. (0 members and 1 guests)