# MSExchange.org - Mailbox Audit Async # Author: Andy Grogan # Version: 1.22 # # This script will: # # * Enable Mailbox Auditing for Mailboxes within a particular OU # * Run twice daily Audit Async Reports to a dedicated mailbox # * Extract the Audit Attachements from the Mailbox (these are XML files) to a specific location # * Format the XML Files into HTML for reference # * Clean the Mailbox down # * Archive Old XML Files # PSSnapins Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 Add-PSSnapin Quest.ActiveRoles.ADManagement # Globals - Script $ErrorActionPreference = 'SilentlyContinue' # Globals - Paths $AuditMailbox = "Mailbox.Audit@prepad.local" # SMTP address of the Audit Mailbox to recieve reports $AuditFolder = "x:\Audits" # Path on server where the XML files will be extracted to $ArchivePath = "x:\Audits\Archive" # Path to archived XML files $OUPath = "prepad.local/AuditedMailboxes" # OU to review in AD - this OU should contain the audited mailboxes $OLKProfile = "Audit" # Outlook profile for the Audit Mailbox -no spaces in profile name! # Globals - Functionality $EmptyDeletedItemsAfterProcessing = $true # Empty the Deleted Items Folder when the Script has completed (set true or false) $AccessTypes = "Owner,Delegate,Admin" # Begin HTML Construction Code Function writeHeader{ param($fileName) Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName 'Audited Mailbox Report' Add-content $fileName '" Add-Content $fileName "" Add-Content $fileName "" Add-content $fileName "" Add-content $fileName "" Add-content $fileName "" Add-content $fileName "" Add-content $fileName "
" Add-content $fileName "Audited Mailbox Report for - $FileName" Add-content $fileName "
" Add-content $fileName "
" } Function WriteFooter{ Param($fileName) Add-content $fileName "" Add-content $fileName "" Add-content $fileName "
MSExchange.org LogoGenerated by MSExchange.org's Mailbox Audit Script
" Add-Content $fileName "" Add-Content $fileName "" } # End HTML Code function returnUsers{ $Usrs = Get-QADUser -SearchRoot $OUPath return $Usrs } function get_OU_CheckAudit{ $Users = returnUsers Foreach($Usr in $Users){ $Audit = Get-Mailbox $Usr.samAccountName If($Audit.AuditEnabled -eq $true){ Write-Host "Audit is enabled for Mailbox: $Audit" -ForegroundColor Green }else{ Write-Host "Audit is NOT enabled for Mailbox: $Audit" -ForegroundColor Red Write-Host "Enabling Audit on Mailbox: $Audit" -ForegroundColor Cyan Set-Mailbox $Audit -AuditEnabled $true } } } function gen_AuditXMLFiles{ $CovStDate = (Get-Date).addDays(-1) $CovEnDate = (Get-Date).addDays(1) $StartDate = "{0:dd/MM/yyyy}" -f $CovStDate $EndDate = "{0:dd/MM/yyyy}" -f $CovEnDate $Users = returnUsers ForEach($Usr in $Users){ New-MailboxAuditLogSearch -Mailboxes $Usr.samAccountName -LogonTypes $AccessTypes -StartDate $StartDate -EndDate $EndDate -StatusMailRecipients $AuditMailbox -ShowDetails } } function empty_DeletedItems{ Write-Host "Invoking: Empty Deleted Items" -ForegroundColor Blue Start-Sleep -Seconds 10 $Outlook = New-Object -ComObject Outlook.Application Foreach($fld in $Outlook.Session.Folders){ Foreach($mF in $fld.Folders){ if($mF.Name -eq "Deleted Items"){ foreach($itm in $mF.Items){ $Itm.Delete() } } } } } function perform_MailboxQuery{ $ChkOutlook = (Get-Process | select-string -quiet "OUTLOOK") if ($ChkOutlook -eq $null) { Start-Process "Outlook.exe" -ArgumentList "/safe /profile $OLKProfile" start-sleep -s 10 } else { Write-Host "OUTLOOK is running" -ForegroundColor Green } $Outlook = New-Object -ComObject Outlook.Application $Namespace = $Outlook.GetNameSpace('MAPI') $IDInbox = 6 $Inbox = ($NameSpace.GetDefaultFolder($IDInbox)).Items.Restrict("[Unread]=true") if ($inbox.Count -gt 0) { do { foreach ($MailItem in $inbox) { foreach ($attachment in $MailItem.Attachments) { $XMLfile = "$(Get-Date -format 'yyyy_MM_dd_hh_mm_ss').xml" $attachment.SaveAsFile( "$AuditFolder\$XMLfile ") Start-Sleep -Seconds 2 } $MailItem.Unread = $False $MailItem.Delete() } $inbox = ($NameSpace.GetDefaultFolder($IDInbox)).Items.Restrict("[Unread]=true") } while ($inbox.Count -gt 0) if($EmptyDeletedItemsAfterProcessing -eq $true){ empty_DeletedItems } } Start-Sleep -Seconds 7 Stop-Process -Name "Outlook" } function manage_XMLPostProcessing{ $XMLFiles = Get-ChildItem "$AuditFolder\*.xml" $aDirPresent = Test-Path $ArchivePath if($aDirPresent -eq $false){ New-Item $ArchivePath -ItemType Directory } Foreach($xFile in $XMLFiles){ Write-Host $xfile Move-Item $xFile $ArchivePath } } # This function parses the XML Files to HTML function format_XMLTOHTML{ $XMLFiles = Get-ChildItem "$AuditFolder\*.xml" foreach($xFile in $XMLfiles){ $hName = $xFile $fileName = "$xFile.html" WriteHeader $fileName #Write-Host $File [System.Xml.XmlDocument]$xd = New-Object system.Xml.XmlDocument $XMLfile = Resolve-Path($xFile) Write-Host "XML File: $XMLfile" -ForegroundColor White $xd.load($XMLfile) $NodeLst = $xd.selectNodes("/SearchResults/Event") Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Foreach($nd in $NodeLst){ $Server = $nd.GetAttribute("OriginatingServer") $Sid = $nd.GetAttribute("LogonUserSid") $UDN = $nd.GetAttribute("LogonUserDisplayName") $mbxOwner = $nd.GetAttribute("MailboxOwnerUPN") $CPN = $nd.GetAttribute("ClientProcessName") $CIS = $nd.GetAttribute("ClientInfoString") $FPN = $nd.GetAttribute("FolderPathName") $LT = $nd.GetAttribute("LogonType") $OP = $nd.GetAttribute("Operation") $OR = $nd.GetAttribute("OperationResult") $IP = $nd.GetAttribute("ClientIPAddress") $LA = $nd.GetAttribute("LastAccessed") Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" Add-Content $fileName "" } Add-Content $fileName "
Original ServerSource Account SIDSource Display NameMailbox OwnerClientClient ProtocolSpecific FolderLogon TypeOperation TypeResultSource IP AddressLast AccessedItems
$Server$SID$UDN$mbxOwner$CPN$CIS$FPN$LT$OP$OR$IP$LA" $sub = $nd.SourceItems.Item Foreach($itm in $sub){ $ItemSub = $itm.Subject $IfP = $itm.FolderPathName If($ItemSub -eq $null){ Add-Content $fileName "

No associated item(s)

" } Add-Content $fileName "

$Ifp : $ItemSub

" } Add-Content $fileName "
" WriteFooter $fileName } } get_OU_CheckAudit gen_AuditXMLFiles perform_MailboxQuery format_XMLTOHTML manage_XMLPostProcessing