Recently the head office asked OFFICE365 to open the audit function on all mailboxes. This feature cannot be manipulated through the graphical interface, but only through PowerShell scripting.
Microsoft has provided an official script, but there is a small bug in it.
Https://technet.microsoft.com/en-us/library/dn879651.aspx#step2
When there are multiple user accounts with the same alias, he will be surprised to think that the same name of the account, and can not modify the corresponding several accounts, so it is not recommended to use Get-mailbox | Set-mailbox modifies the data, but manually for the For loop processing.
Another 2 is that Office365 cannot set the default open audit, so all new accounts are not open. Beans can only set a scheduled task, allowing the script to be automatically executed daily to modify the new account settings.
In addition, after the execution, I would like to send a revised account sent me an email notification, and finally windows also wrote me a log for later viewing.
The following is the complete script
#Create a secure string of the your password#read-host -assecurestring | convertfrom-securestring > c:\temp\key.txt#check if o365 session is setup, if not, create a new one$Sessions=Get-PSSessionif ($ sessions.computername -eq "outlook.office365.com") -and ($Sessions .state -ne ' Broken ') { write-host "Detect existing office365 session, skip .." -ForegroundColor Cyan}else{ $username = "[ Email protected] " $secureStringPwd = gc c:\temp\key.txt | ConvertTo-SecureString $creds = New-Object system.management.automation.pscredential -argumentlist $username, $secureStringPwd $ExoSession &NBSP;=&NBSP;NEW-PSSession -configurationname microsoft.exchange -connectionuri https://outlook.office365.com/ powershell-liveid/ -credential $creds -Authentication Basic -AllowRedirection Import-PSSession $ExoSession} #Find mailboxes that haven ' t enabled auditing$users=get-mailbox -Filter {AuditEnabled -eq $false} | select name, alias, auditenabled, auditlogagelimit, distinguishednameforeach ($user in $users) { try{ set-mailbox $ user.distinguishedname -auditenabled $true -AuditLogAgeLimit 365 -AuditOwner create,harddelete,mailboxlogin,movetodeleteditems,softdelete,update -erroraction stop # Create a Windows Eventlog if needed $username = $user. Name write-eventlog -logname ' Application ' -Source ' application ' -eventid 666 -entrytype information -Message "$username maibox auditing is enabled" } catch{ write-eventlog -logname ' Application ' -Source ' application ' -eventid 667 -EntryType Error -Message "$user mailbox auditing is failed to enable "&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;}&NBSP;&NBSP;} #There are two ways to check the resut, event viewer or email#check again if the status is changed $result =foreach ($user in $users) { get-mailbox $user. Name | select name, alias, auditenabled, auditlogagelimit, distinguishedname} #Send email to the admin$from = "[email protected]" $to = "[email Protected] "$smtp = smtp.office365.com" $sub = "Auditing list" $ securestringpwd = gc c:\temp\key.txt | convertto-securestring$creds = new-object system.management.automation.pscredential -argumentlist $username, $ securestringpwd$date=get-date $htmlbody = $result | convertto-html -body " <H1> $date Mailbox Auditing Enabled record </H1> " -cssuri c:\tmp\ table.css send-mailmessage -to $to -From $from -Subject $sub -body ($htmlbody | out-string) -Credential $creds -SmtpServer $smtp -DeliveryNotificationOption never -bodyashtml -usessl -port 587 #Check from Event Viewertry{ $eventcritea = @{logname= ' Application ';id=666} $Events =get-winevent -filterhashtable $eventcritea -ErrorAction Stop ForEach ($Event in $ Events) { $eventXML = [xml] $Event. TOXML () $Event | Add-Member -MemberType NoteProperty -Force -Name information -value $eventXML .event.eventdata.data $Event .information } }catch [system. exception] { "Couldn ' t fine any mailbox auditing logs "} $events | select information, id, Logname, timecreated| out-gridview -title status
Test results
Get the Windows log
650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M01/9E/90/wKiom1mShjLBa8dSAAC8P4ocmk8510.jpg "style=" float : none; "title=" AA. JPG "alt=" Wkiom1mshjlba8dsaac8p4ocmk8510.jpg "/>
Notification of incoming mail
650) this.width=650; "src=" https://s4.51cto.com/wyfs02/M01/9E/7E/wKioL1mShjOQQ0OTAAGkn3iYXIs147.jpg "style=" float : none; "title=" BBB. JPG "alt=" Wkiol1mshjoqq0otaagkn3iyxis147.jpg "/>
After 2 days, make sure the status has changed on the Https://securescore.office.com/#!/score!
650) this.width=650; "src=" https://s2.51cto.com/wyfs02/M00/9E/90/wKiom1mShr6BO1iuAACfH_2vTRM821.jpg "title=" CCCC. JPG "alt=" Wkiom1mshr6bo1iuaacfh_2vtrm821.jpg "/>
This article is from the "Mapo Tofu" blog, please be sure to keep this source http://beanxyz.blog.51cto.com/5570417/1956406
Office365 PowerShell opens the mailbox Audit feature