Hi Readers,
Writing the information that will guide in enabling auditing for user mailboxes. In Exchange 2010 this is new feature & advantageous in case you want to know who has deleted, moved emails from shared mailbox, delegated mailbox etc.
Some times for Messaging Admins these kinds of requests are quite common in which Security team, HR & Legal requires these details.
- Get the current auditing status for Particular mailbox:
Get-Mailbox “MailboxAlias” | fl aud*
By default Auditing Enabled is False & below screen shot shows default values.
- Set the mailbox auditing for Particular mailbox:
Get-Mailbox “MailboxAlias” | Set-Mailbox -AuditEnabled $true
You can set other values as well by using above command, like age of auditing. Same way you can set various other options & disable auditing as well.
- There can be a situation where system mailboxes accesses mailboxes & those are coming in audit log so those system mailboxes can be by passed by using below command.
Set-MailboxAuditBypassAssociation -Identity “svc_Account” -AuditBypassEnabled $true
you can also check the Auditbypass for the svc account
Get-MailboxAuditBypassAssociation “svc_Account”
- Now how to check these audit logs: you can use ECP for this purpose:
Run Non owner Mailbox access report:
Tech Wizard
Tech Wizard 
Excellent !
Simply a great write-up.
Few days ago, I was reading another informative article at TechNet which I wish to mention here – https://gallery.technet.microsoft.com/Enabling-Exchange-2010-368786d3
Hope, this could help you others.