Reputation: 184
Who last modified a mailbox Exchange 2010 (PowerShell)
I'm looking to retrieve a list of ALL user mailboxes and show who last modified the mailbox in question - at the moment I've got my basic components in the form of:
$mailbox | % {Search-AdminAuditLog | Where-Object {ObjectModified -eq $_.identity} | Select-Object -First 1 -Property CmdLetName,Caller,RunDate | Out-file "C:\tmp\$_.mailbox"}
where $mailbox contains a list of mailboxes I want to process:
$mailbox = GET-MAILBOXSERVER | Get-Mailbox -ResultSize Unlimited
If I run (separately):
$mailbox | select Identity
I get the expected identities, e.g.
testdomain.local/Users/Administrator
in the format I'd expect to be able to pass to my search:
Search-AdminAuditLog | Where-Object {$_.ObjectModified -eq "testdomain.local/Users/Administrator"} | Select-Object -First 1 -Property CmdLetName,Caller,RunDate
(which, stand alone, runs just fine). So I'm unclear why, when I pipe my input from $mailbox I don't get any results at all?
Upvotes: 0
Views: 2984
Answers (1)
Reputation: 1863
Running your code works for me
Search-AdminAuditLog | Where-Object {$_.ObjectModified -eq "My object path"} | Select-Object -First 1 -Property CmdLetName,Caller,RunDate
The first line you wrote that contains:
{$_.ObjectModified -eq $_.identity}
I dont think this will work because you are trying to reference properties from 2 different pipeline objects. I am pretty sure $_ represents the output of the cmdlet to the left of the last pipeline character. Unless you are searching for users that have modified themselves.
Running a few tests here I have noticed that some data is missing from my auditlogs. Only seems to go back a week or so.
Further reading shows that just calling Search-AdminAuditLog will return the last 1000 log entries. You might need to increase this Search-AdminAuditLog -ResultSize 9000
Also the code you are using is searching for users that have modified the administrator accounts mailbox. Are you sure you aren't trying to search for email accounts that the administrator has modified? because that will be:
Search-AdminAuditLog -ResultSize 9000 | Where-Object {$_.Caller -eq "testdomain.local/Users/Administrator"} | Select-Object -Property CmdLetName,ObjectModified,RunDate
Adding search parameters to Search-AdminAuditLog will improve the performance, For instance if you are looking for specific actions:
Search-AdminAuditLog -Cmdlets Add-MailboxPermission
Or a start and end date
Search-AdminAuditLog -StartDate "4/6/2015 12:00:00 AM" -EndDate 4/6/2015 11:20:00 AM"
EDIT Can you try without running it all through the pipe line?
$Adminlog = Search-AdminAuditLog
Foreach ($Mailbox in $Mailboxes)
{ $Adminlog | Where-Object {$_.ObjectModified -eq $Mailbox.Identity}}
I think it might be a limitation with pipeline you are basically trying to compare 2 lists
Upvotes: 1
Related Questions
- Create csv file of all disabled AD users with mailboxes Output information from multiple cmdlets in powershell
- Identify all users with "full access" and "send on behalf" access to each shared mailbox where the user is disabled
- exchange powershell : finding the active directory office property
- How to get current and archive mailbox sizes from Powershell?
- Passing a variable to the end of the command
- Powershell Exchange mailbox report
- Get SMTP address from a list of Names (Exchange 2013 powershell)
- Exchange 2007 search message log for a list of wildcard domains?
- Powershell - Search Exchange mailbox and emails