Skip to main content

Configure Exchange Administrator Audit Logging Settings

To audit and report who made changes to the Exchange servers in your on-premises infrastructure, or to Active Directory via the Exchange, configure the Exchange Administrator Audit Logging (AAL) settings as follows:

SettingValueComment
AdminAuditLogEnabledTrueEnables audit logging
AdminAuditLogAgeLimit30Determines how long audit log entries are retained (default is 90 days)
AdminAuditLogCmdlets*Instructs the program to create a log entry for every cmdlet that runs.
LogLevelVerboseSets logging level.
ExcludedCmdlets*-InboxRule, *-MailboxAutoReplyConfiguration, Set-MailboxAuditBypassAssociation, Set-MailboxAutoReplyConfiguration, Set-MailboxCalendarConfiguration, Set-MailboxCalendarFolder, Set-MailboxFolderPermission, Set-MailboxJunkEmailConfiguration, Set-MailboxMessageConfiguration, Set-MailboxRegionalConfiguration, Set-MailboxSpellingConfigurationThis list of exclusions is set up as explained in step 3 of the following procedure.

To configure these settings manually, use the following procedure.

You can perform this procedure on any of the Exchange servers, and these settings replicate to all Exchange servers in the domain.

To configure Exchange Administrator Audit Logging settings:

Step 1 – On the computer where the monitored Exchange server is installed, navigate to Start → Programs → Exchange Management Shell.

Step 2 – Execute the following command depending on your Exchange version:

  • Exchange 2019, 2016, and 2013

    Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogAgeLimit 30 -AdminAuditLogCmdlets * -LogLevel Verbose

  • Exchange 2010

Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogAgeLimit 30 -AdminAuditLogCmdlets *

  1. To reduce server load, you can exclude the cmdlets listed in the preceding table from Exchange logging. For that:

    1. On the computer where Netwrix 1Secure is installed, browse to the %Netwrix Auditor Server installation folder%/Active Directory Auditing folder, locate the SetAALExcludedCmdlets.ps1 PowerShell script file and copy it to Exchange server.

    2. In Exchange Management Shell, run this script using the command line:

      <Path_To_SetAALExcludedCmdlets_File>.\SetAALExcludedCmdlets.ps1

    Ensure your policies allow script execution.