Exchange 2010 Discovery Search Audit

dhumes0524 used Ask the Experts™
Hello, I am looking at some kind of possible breach in our Exchange environment.  We have multi-mailbox search disabled for all users (we are only licensed for Standard).  I  know this was correct and verified 2 weeks ago.  Today, I went in and looked and see that a generic administrator account that we have has been added to the Discovery Management role to allow mailbox searches.  I didn't do this.  
What kind of audit log checking should I do to see who enabled this role for this administrator account, and if they performed any mailbox searches?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Please take a look at this link:

All commands on exchange can be logged. Lets hope you have auditing enabled.


I have auditing enabled, but I am wondering if I always did...although I never specifically turned it on myself.  I implemented my Exch. 2010 environment in December, but none of the changes done during initial setup shows up in my Auditing logs (regarding assigning roles to users).  The earliest entry in my audit log is February, so maybe the Auditing wasn't turned on until then.  Either way, thanks for the response.  I will read through it all and see if I can find anything else.
Auditing is automatically enabled at installation time from SP1, but SP2 is already available for one year now. I doubt that you have not installed SP2 at installation time.
One option is that the logs have exceeded max size and the oldest entries are deleted.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial