How do I know who disabled a user in Exchange 2016?

Mohammed Hashim 21 Reputation points

Hello Guys,

I am new to exchange servers can you please guide me what is the correct way to find the activities of administrators in exchange server like disabling/deleting users, deleting emails, taking access of user mailboxes etc..

Is there a way to find it on EAC or should I prefer EMS. Kindly suggest both possibilities which is better.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,485 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Aholic Liang-MSFT 13,826 Reputation points Microsoft Vendor

    Hi @Mohammed Hashim ,

    The administrator's activities can be found in EAC(Click “compliance management- auditing”).
    While we prefer to use the more powerful EMS to search the logs In general.
    We can use the cmdlet search-adminauditlog in Exchange Management Shell to search for the events.

    Below is an example:
    Disable the mailbox named 16user01:
    Search the cmdlets for disable-mailbox:

    Mailbox audit logging can record user actions (for example, accessing, moving or deleting information) that are specified in the login type (administrator, authorised user or owner). If mailbox audit logging isn't enabled(by default it is not enabled) for a mailbox, you won't get any results for it when you search related logs.
    Below is an example:
    Enable mailbox audit logging for liang01:

    Search mailbox audit log and it returns the events that show the administrator accessed liang01's mailbox and sent email:

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


    1 person found this answer helpful.