文章共计 2483 个字,阅读完成需要 7 分钟

Exchange online管理员Powershell查询用户操作痕迹

#管理员后台#命令行#客户端配置#Powershell命令
junan 发布于 2024-11-13 / 57 阅读 / 0 评论 / 0 点赞
参考文档地址:https://learn.microsoft.com/zh-cn/microsoft-365/troubleshoot/audit-logs/mailbox-audit-logs 安装模块(已安装可以跳过此步骤) Set-ExecutionPolicy RemoteSigned In

参考文档地址:https://learn.microsoft.com/zh-cn/microsoft-365/troubleshoot/audit-logs/mailbox-audit-logs

安装模块(已安装可以跳过此步骤)

Set-ExecutionPolicy RemoteSigned
Install-Module -Name ExchangeOnlineManagement

连接365

connect-exchangeonline

复制查询代码

param ([PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]
[string]$Mailbox,
[PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]
[string]$StartDate,
[PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]
[string]$EndDate,
[PARAMETER(Mandatory=$FALSE,ValueFromPipeline=$FALSE)]
[string]$Subject,
[PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)]
[switch]$IncludeFolderBind,
[PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)]
[switch]$ReturnObject)
BEGIN {
  [string[]]$LogParameters = @('Operation', 'LogonUserDisplayName', 'LastAccessed', 'DestFolderPathName', 'FolderPathName', 'ClientInfoString', 'ClientIPAddress', 'ClientMachineName', 'ClientProcessName', 'ClientVersion', 'LogonType', 'MailboxResolvedOwnerName', 'OperationResult')
  }
  END {
    if ($ReturnObject)
    {return $SearchResults}
    elseif ($SearchResults.count -gt 0)
    {
    $Date = get-date -Format yyMMdd_HHmmss
    $OutFileName = "AuditLogResults$Date.csv"
    write-host
    write-host -fore green "Posting results to file: $OutfileName"
    $SearchResults | export-csv $OutFileName -notypeinformation -encoding UTF8
    }
    }
    PROCESS
    {
    write-host -fore green 'Searching Mailbox Audit Logs...'
    $SearchResults = @(search-mailboxAuditLog $Mailbox -StartDate $StartDate -EndDate $EndDate -LogonTypes Owner, Admin, Delegate -ShowDetails -resultsize 50000)
    write-host -fore green '$($SearchREsults.Count) Total entries Found'
    if (-not $IncludeFolderBind)
    {
    write-host -fore green 'Removing FolderBind operations.'
    $SearchResults = @($SearchResults | ? {$_.Operation -notlike 'FolderBind'})
    write-host -fore green 'Filtered to $($SearchREsults.Count) Entries'
    }
    $SearchResults = @($SearchResults | select ($LogParameters + @{Name='Subject';e={if (($_.SourceItems.Count -eq 0) -or ($_.SourceItems.Count -eq $null)){$_.ItemSubject} else {($_.SourceItems[0].SourceItemSubject).TrimStart(' ')}}},
    @{Name='CrossMailboxOp';e={if (@('SendAs','Create','Update') -contains $_.Operation) {'N/A'} else {$_.CrossMailboxOperation}}}))
    $LogParameters = @('Subject') + $LogParameters + @('CrossMailboxOp')
    If ($Subject -ne '' -and $Subject -ne $null)
    {
    write-host -fore green 'Searching for Subject: $Subject'
    $SearchResults = @($SearchResults | ? {$_.Subject -match $Subject -or $_.Subject -eq $Subject})
    write-host -fore green 'Filtered to $($SearchREsults.Count) Entries'
    }
    $SearchResults = @($SearchResults | select $LogParameters)
    }

输入账号地址和起始结束日期

在C:\Windows\system32文件夹下打开导出的日志文件查看用户的操作痕迹

上一篇: Foxmail端配置阿里邮箱账号的流程
下一篇: Exchange onlie如何查看数据中心位置
是否对你有帮助?