Share via

Exchange Auditing and Quarantine question

sgtDaniele 0 Reputation points
2024-12-04T11:28:50.3566667+00:00

Hello everyone ,

first of all I am sorry if this has been answered before but I really could not find the answer or

similar topic.

I have a big issue that persists over some years but I left it because I did not need that functionality,

but know I really need it.

I have 4 Exchange server 2016 , with more than 5000 users. And I live in a country where people have multiple nationality.

I have all servers set up to the last CU and SU .

The Problem is as following :

I needed to set up the audit on Exchange , and sadly it does not work like intended . If you put in a parameter you get an empty answer . If you put in the Command Search-AdminAuditLog whitout parameter it is working to an extend.

So I researched this issue and saw that a fix is there with a CU , but this didnt solve the problem as I was up to date. So I had to do the recommended work around , with the regional settings.

https://learn.microsoft.com/en-us/exchange/troubleshoot/compliance/search-adminauditlog-mailboxauditlog-return-no-result

With this the admin audit search worked but I got another big problem with this. And this issue I could not see it at any other place documented.

The Users on the several Exchange servers got put their mailbox into Quarantine (not all users).

So when an user send an email to an person that was affected got an reply that the message could not be delivered, because the inbox is in quarantine. Upon further investigation I found out that the users had a common setting in the regional / local settings EN-150 .

Taking an user out of it , makes him go in after a while automatically.

And I had to revert the changes I did with the configuration of the regional settings on the servers , so that the users do not get quarantined anymore.

But now I still cannot do any audit search.

So I desperately need help in this regard if possible please.

Thanks a lot in Advance

Best Regards

Exchange | Exchange Server | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-12-05T09:36:25.7566667+00:00

    Hi, @sgtDaniele

    It sounds like you're dealing with a complex issue involving Exchange audit logs and user mailboxes being quarantined due to locale.

    Here are some suggestions:

    1. Make sure that the CU you are applying is the latest CU for your version of Exchange. Sometimes, CUs may not be applied correctly, so double-check the installation logs.
    2. Consider using the Search-UnifiedAuditLog command as an alternative, as it may provide more consistent results.
    3. When the mailbox enters quarantine, check the event logs and Exchange logs for any specific errors or warnings.
    4. Make sure there is no group policy to force the locale to be changed to "EN-150". Check that the user profile contains the "EN-150" setting. Sometimes, settings in the registry can cause the locale to be automatically restored.
    5. If none of the above methods resolve the issue, it is recommended to contact the Microsoft support team to provide them with more comprehensive logs. Find Microsoft 365 for business support phone numbers by country or region - Microsoft 365 admin | Microsoft Learn

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.