搜尋角色群組變更或管理員稽核記錄檔Search the role group changes or administrator audit logs

您可以搜尋系統管理員稽核記錄,以查明是誰變更組織、伺服器和收件者組態。在嘗試追蹤意外行為的原因時,這有助於識別惡意的系統管理員,或驗證是否符合規範需求。如需有關系統管理員稽核記錄的詳細資訊,請參閱Administrator audit loggingYou can search the administrator audit logs to discover who made changes to organization, server, and recipient configuration. This can be helpful when you're trying to track the cause of unexpected behavior, to identify a malicious administrator, or to verify that compliance requirements are being met. For more information about administrator audit logging, see Administrator audit logging.

如果您要搜尋信箱稽核記錄,請參閱Mailbox Audit LoggingIf you want to search the mailbox audit log, see Mailbox Audit Logging.

提示

在 Exchange Online 中,您可以使用 EAC 檢視系統管理員稽核記錄中的項目。如需詳細資訊,請參閱 <檢視系統管理員稽核記錄In Exchange Online, you can use the EAC to view entries in the administrator audit log. For more information, see View the administrator audit log.

開始之前有哪些須知?What do you need to know before you begin?

  • 每項程序的預估完成時間:不到 5 分鐘Estimated time to complete each procedure: less than 5 minutes

  • 您必須獲得權限才能執行此程序或程序。若您需要哪些權限,請參閱Exchange and Shell Infrastructure Permissions主題中的 「 僅檢視系統管理員稽核記錄 」 項目。You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "View-only administrator audit logging" entry in the Exchange and Shell Infrastructure Permissions topic.

  • 系統管理員稽核記錄已啟用預設值。若要確認已啟用,執行下列命令:Administrator audit logging is enabled by default. To verify that it's enabled, run the following command:

    Get-AdminAuditLogConfig | FL AdminAuditLogEnabled
    

    值為True表示該系統管理員稽核記錄已啟用。值為False指出已停用。如果您需要針對內部部署 Exchange 組織啟用系統管理員稽核記錄,請執行下列命令:A value of True indicates that administrator audit logging is enabled. A value of False indicates that it's disabled. If you need to enable administrator audit logging for an on-premises Exchange organization, run the following command:

    Set-AdminAuditLogConfig -AdminAuditLogEnabled $true
    

    注意

    Set-adminauditlogconfig指令程式無法在 Exchange Online。The Set-AdminAuditLogConfig cmdlet isn't available in Exchange Online.

    如需詳細資訊,請參閱 Configure Administrator Audit LoggingFor more information, see Configure Administrator Audit Logging.

  • 如需適用於此主題中程序的快速鍵相關資訊,請參閱 Exchange 系統管理中心的鍵盤快速鍵For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

提示

有問題嗎?尋求 Exchange 論壇中的協助。請造訪在Exchange ServerExchange OnlineExchange Online Protection論壇。Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server,Exchange Online, or Exchange Online Protection.

您要執行的工作What do you want to do?

使用 EAC 執行管理角色群組變更報告Use the EAC to run the management role group changes report

如果您想要了解組織中角色群組的管理角色群組成員資格有何變更,您可以在 Exchange 系統管理中心 (EAC) 中使用「系統管理員角色群組」報告。您可以使用「系統管理員角色群組」報告來檢視指定日期範圍內已變更的角色群組清單。您也可以選取想要檢視變更的特定角色群組。If you want to know what changes to management role group membership have been made to role groups in your organization, you can use the Administrator Role Group report in the Exchange Administration Center (EAC). Using the Administrator Role Group report, you can view a list of role groups that have changed during a specified date range. You can also select the specific role groups you want to view changes for.

  1. 在 EAC 中,選取 [相符性管理 > 稽核],然後按一下 [執行系統管理員角色群組報告In the EAC, select Compliance management > Auditing, and then click Run an administrator role group report.

  2. 使用 [開始日期]**** 和 [結束日期]**** 欄位來選取日期範圍。Select a date range using the Start date and End date fields.

  3. 按一下 [選取角色群組]*,然後選取您要顯示變更的角色群組,或者將此欄位留白以搜尋所有角色群組中的變更。Click *Select role groups, and then select the role groups you want to show changes for or leave this field blank to search for changes in all role groups.

  4. 按一下 [搜尋]。Click Search.

如果使用您指定的準則找到任何變更,結果窗格中會顯示變更清單。按一下角色群組會在詳細資料窗格中顯示角色群組的變更。If any changes are found using the criteria you specified, a list of changes will be displayed in the results pane. Clicking a role group displays the changes to the role group in the details pane.

使用 EAC 匯出系統管理員稽核記錄Use the EAC to export the administrator audit log

如果您要建立 XML 檔案,其中包含組織的變更,您可以在 ECP 中使用 [匯出系統管理員稽核記錄] 報告。您可以使用 [匯出系統管理員稽核記錄] 報告來指定日期範圍,以搜尋包含您指定之使用者所做變更的稽核記錄項目。然後,XML 檔案會以電子郵件附件形式傳送給收件者。XML 檔案的大小上限為 10 MB。If you want to create an XML file that contains changes made to your organization, you can use the Export Administrator Audit Log report in the EAC. Using the Export Administrator Audit Log report, you can specify a date range to search for audit log entries that contain changes made by users you specify. The XML file is then sent to a recipient as an email attachment. The maximum size of the XML file is 10 megabytes (MB).

注意

Outlook Web App 不允許您預設會開啟 XML 附件。您可以設定 Exchange 允許 XML 附件使用 Outlook Web App 中檢視您也可以使用其他電子郵件用戶端,例如 Microsoft Outlook 檢視附件。如需如何設定 Outlook Web App 可讓您檢視 XML 附件,請參閱檢視或設定 Outlook Web App 虛擬目錄Outlook Web App doesn't allow you to open XML attachments by default. You can either configure Exchange to allow XML attachments to be viewed using Outlook Web App, or you can use another email client, such as Microsoft Outlook, to view the attachment. For information about how to configure Outlook Web App to allow you to view an XML attachment, see View or configure Outlook Web App virtual directories.

  1. 在 EAC 中,選取 [相符性管理 > 稽核],然後按一下 [匯出系統管理員稽核記錄In the EAC, select Compliance management > Auditing, and then click Export the administrator audit log.

  2. 使用 [開始日期]**** 和 [結束日期]**** 欄位來選取日期範圍。Select a date range using the Start date and End date fields.

  3. 在 [傳送稽核報告給]**** 欄位中,按一下 [選取使用者]*,然後選取您要傳送報告給他的收件者。In the *Send the auditing report to field, click Select users and then select the recipient you want to send the report to.

  4. 按一下 [匯出]。Click Export.

如果使用您指定的準則找到任何記錄項目,將會建立 XML 檔案,並以電子郵件附件形式傳送給您指定的收件者。If any log entries are found using the criteria you specified, an XML file will be created and sent as an email attachment to the recipient you specified.

使用命令介面來搜尋稽核記錄項目Use the Shell to search for audit log entries

您可以使用命令介面來搜尋符合指定準則的稽核記錄項目。如需搜尋準則的清單,請參閱Administrator audit logging。此程序使用 Search-AdminAuditLog 指令程式並在命令介面中顯示搜尋結果。當您需要傳回的一組結果超過 New-AdminAuditLogSearch Cmdlet 或 EAC「稽核報告」報告中所定義的限制時,就可以使用這個 Cmdlet。You can use the Shell to search for audit log entries that meet the criteria you specify. For a list of search criteria, see Administrator audit logging. This procedure uses the Search-AdminAuditLog cmdlet and displays search results in the Shell. You can use this cmdlet when you need to return a set of results that exceeds the limits defined on the New-AdminAuditLogSearch cmdlet or in the EAC Audit Reporting reports.

如果您要以電子郵件附件形式將稽核記錄搜尋結果傳送給收件者,請參閱本主題稍後的Use the Shell to search for audit log entries and send results to a recipientIf you want to send audit log search results in an email attachment to a recipient, see Use the Shell to search for audit log entries and send results to a recipient later in this topic.

若要搜尋指定準則的稽核記錄,請使用下列語法。To search the audit log for criteria you specify, use the following syntax.

Search-AdminAuditLog - Cmdlets <cmdlet 1, cmdlet 2, ...> -Parameters <parameter 1, parameter 2, ...> -StartDate <start date> -EndDate <end date> -UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$True | $False >

注意

Search-adminauditlog指令程式會依據預設傳回最大值為 1000 記錄項目。使用_ResultSize_參數來指定多達 250000 記錄項目。或使用值Unlimited來傳回所有項目。The Search-AdminAuditLog cmdlet returns a maximum of 1,000 log entries by default. Use the ResultSize parameter to specify up to 250,000 log entries. Or, use the value Unlimited to return all entries.

此範例使用下列準則,執行所有稽核記錄項目的搜尋:This example performs a search for all audit log entries with the following criteria:

  • 開始日期08 04/2012 /Start date 08/04/2012

  • 2012/10/03結束日期End date 10/03/2012

  • 使用者識別碼davids、 chrisd、 kimaUser IDs davids, chrisd, kima

  • 指令程式Set-mailboxCmdlets Set-Mailbox

  • 參數ProhibitSendQuotaProhibitSendReceiveQuotaIssueWarningQuotaMaxSendSizeMaxReceiveSizeParameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize, MaxReceiveSize

Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize, MaxReceiveSize -StartDate 08/04/2012 -EndDate 10/03/2012 -UserIds davids, chrisd, kima

此範例搜尋特定信箱的變更。如果您在進行疑難排解或需要提供調查的資訊,這會很有用。使用下列準則:This example searches for changes made to a specific mailbox. This is useful if you're troubleshooting or you need to provide information for an investigation. The following criteria are used:

  • 開始日期05/01/2012Start date 05/01/2012

  • 2012/10/03結束日期End date 10/03/2012

  • 物件識別碼contoso.com/Users/DavidSObject ID contoso.com/Users/DavidS

Search-AdminAuditLog -StartDate 05/01/2012 -EndDate 10/03/2012 -ObjectID contoso.com/Users/DavidS

如果搜尋傳回許多記錄項目,建議您使用本主題稍後的Use the Shell to search for audit log entries and send results to a recipient中提供的程序。該章節中的程序會以電子郵件附件形式將 XML 檔案傳送給您指定的收件者,讓您更輕鬆擷取感興趣的資料。If your searches return many log entries, we recommend that you use the procedure provided in Use the Shell to search for audit log entries and send results to a recipient later in this topic. The procedure in that section sends an XML file as an email attachment to the recipients you specify, enabling you to more easily extract the data you're interested in.

如需詳細的語法及參數資訊,請參閱 Search-AdminAuditLogFor detailed syntax and parameter information, see Search-AdminAuditLog.

檢視稽核記錄項目的詳細資料View details of audit log entries

Search-adminauditlog指令程式會傳回欄位節所述"稽核記錄檔目錄之系統管理員稽核記錄。此指令程式所傳回的欄位, CmdletParametersModifiedProperties、 兩個欄位會包含不是預設檢視的其他資訊。The Search-AdminAuditLog cmdlet returns the fields described in the "Audit log contents section of Administrator audit logging. Of the fields returned by the cmdlet, two fields, CmdletParameters and ModifiedProperties, contain additional information that isn't viewable by default.

若要檢視 CmdletParametersModifiedProperties 欄位的內容,請使用下列步驟。或者,您可以使用本主題稍後的Use the Shell to search for audit log entries and send results to a recipient中的程序來建立 XML 檔案。To view the contents of the CmdletParameters and ModifiedProperties fields, use the following steps. Or, you can use the procedure in Use the Shell to search for audit log entries and send results to a recipient later in this topic to create an XML file.

此程序採用下列概念:This procedure uses the following concepts:

  1. 決定您要搜尋的準則、執行 Search-AdminAuditLog 指令程式,然後使用下列命令將結果儲存在變數中。Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet, and store the results in a variable using the following command.

    $Results = Search-AdminAuditLog <search criteria>
    
  2. 每個稽核記錄項目儲存在變數陣列元素$Results。您可以選取陣列元素來指定它的陣列元素索引。陣列元素索引啟動的第一個陣列元素的零 (0)。例如,若要擷取第 5 個陣列元素,其索引為 4,使用下列命令。Each audit log entry is stored as an array element in the variable $Results. You can select an array element by specifying its array element index. Array element indexes start at zero (0) for the first array element. For example, to retrieve the 5th array element, which has an index of 4, use the following command.

    $Results[4]
    
  3. 上一個命令會傳回儲存在陣列元素 4 中的記錄項目。若要查看此記錄項目的 CmdletParametersModifiedProperties 欄位的內容,請使用下列命令。The previous command returns the log entry stored in array element 4. To see the contents of the CmdletParameters and ModifiedProperties fields for this log entry, use the following commands.

    $Results[4].CmdletParameters
    $Results[4].ModifiedProperties
    
  4. 若要檢視另一個記錄項目的 CmdletParametersModifiedParameters 欄位,請變更陣列元素索引。To view the contents of the CmdletParameters or ModifiedParameters fields in another log entry, change the array element index.

使用命令介面搜尋稽核記錄項目並將結果傳送給收件者Use the Shell to search for audit log entries and send results to a recipient

您可以使用命令介面來搜尋符合指定準則的稽核記錄項目,然後以 XML 檔案附件形式將這些結果傳送給您指定的收件者。結果會在 15 分鐘內傳送給收件者。如需搜尋準則的清單,請參閱Administrator audit loggingYou can use the Shell to search for audit log entries that meet the criteria you specify, and then send those results to a recipient you specify as an XML file attachment. The results are sent to the recipient within 15 minutes. For a list of search criteria, see Administrator audit logging.

注意

Outlook Web App 不允許您預設會開啟 XML 附件。您可以設定 Exchange 允許 XML 附件使用 Outlook Web App 中檢視您也可以使用其他電子郵件用戶端,例如 Microsoft Outlook 檢視附件。如需如何設定 Outlook Web App 可讓您檢視 XML 附件,請參閱檢視或設定 Outlook Web App 虛擬目錄Outlook Web App doesn't allow you to open XML attachments by default. You can either configure Exchange to allow XML attachments to be viewed using Outlook Web App, or you can use another email client, such as Microsoft Outlook, to view the attachment. For information about how to configure Outlook Web App to allow you to view an XML attachment, see View or configure Outlook Web App virtual directories.

若要搜尋指定準則的稽核記錄,請使用下列語法。To search the audit log for criteria you specify, use the following syntax.

New-AdminAuditLogSearch -Cmdlets <cmdlet 1, cmdlet 2, ...> -Parameters <parameter 1, parameter 2, ...> -StartDate <start date> -EndDate <end date> -UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$True | $False > -StatusMailRecipients <recipient 1, recipient 2, ...> -Name <string to include in subject>

此範例使用下列準則,執行所有稽核記錄項目的搜尋:This example performs a search for all audit log entries with the following criteria:

  • 開始日期08 04/2012 /Start date 08/04/2012

  • 2012/10/03結束日期End date 10/03/2012

  • 使用者識別碼davids、 chrisd、 kimaUser IDs davids, chrisd, kima

  • 指令程式Set-mailboxCmdlets Set-Mailbox

  • 參數ProhibitSendQuotaProhibitSendReceiveQuotaIssueWarningQuotaMaxSendSizeMaxReceiveSizeParameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize, MaxReceiveSize

此命令會將結果傳送至 davids@contoso.com SMTP 位址,郵件主旨行包含 "Mailbox limit changes"。The command sends the results to the davids@contoso.com SMTP address with "Mailbox limit changes" included in the subject line of the message.

New-AdminAuditLogSearch -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize, MaxReceiveSize -StartDate 08/04/2012 -EndDate 10/03/2012 -UserIds davids, chrisd, kima -StatusMailRecipients davids@contoso.com -Name "Mailbox limit changes"

注意

New-AdminAuditLogSearch 指令程式產生的報告以 10 MB 為大小上限。如果您執行的搜尋傳回大於 10 MB 的報告,請變更您指定的搜尋準則。例如,縮小日期範圍並執行多個報告,各報告為原始日期範圍的一部分。The report that the New-AdminAuditLogSearch cmdlet generates can be a maximum of 10 MB in size. If the search you perform returns a report larger than 10 MB, change the search criteria you specified. For example, reduce the size of the date range and run multiple reports, each with a portion of the original date range.

如需 XML 檔案格式的相關資訊,請參閱Administrator Audit Log StructureFor more information about the format of the XML file, see Administrator Audit Log Structure.

如需詳細的語法及參數資訊,請參閱 New-AdminAuditLogSearchFor detailed syntax and parameter information, see New-AdminAuditLogSearch.