Exchange Quick Audit: mailboxes created in last 7 days

by Bharat Suneja on June 24, 2008

I remember writing plenty of scripts to report on different things such as user accounts created every week/month, user accounts modified, accounts disabled, etc. for SOX compliance. Some of those scripts used to be rather long, and in hindsight— involved a lot more lines of code than an administrator should have to write. Although I had a lot of fun (and still do… albeit with PowerShell), I would totally understand if you said you never wanted to hear about things like Wscript, VBScript, WSH, COM objects, ADSI, and WMI ever again.

Let’s take a look at how the shell (EMS) makes it so easy.

In this example, we need to get a list of all accounts created in the last 7 days. When a user account is created, its whenCreated attribute gets stamped with the time of creation. Here’s how it can be used:

Get-User -resultsize unlimited | where {$_.WhenCreated -gt (get-date).adddays(-7)} | ft Name,whenCreated -Autosize

Similarly, when an AD object is changed, it’s whenChanged attribute gets stamped with the time the change was made. This makes it easy to determine which objects were changed in a given period, a useful tool for auditing/reporting as well as troubleshooting. In the following example, we determine if any Receive Connectors were changed in the last 7 days.

Get-ReceiveConnector | where {$_.whenChanged -gt (get-date).adddays(-7)}

Another frequently required and requested report— how do I get a list of mailboxes that haven’t been accessed in the last X days. Let’s use 100 days as the value here:

Get-MailboxStatistics -resultsize unlimited | where {$_.LastLogonTime -lt (get-date).AddDays(-100)} | ft displayName,lastlogontime,lastloggedonuseraccount,servername

Or mailboxes that have never been logged on to:

Get-MailboxStatistics -resultsize unlimited | where {$_.LastLogonTime -eq $null | ft displayName,lastlogontime,lastloggedonuseraccount,servername

Note, you can filter mailboxes by Database or ServerName to restrict the results to a more manageable size.

Disconnected/Disabled Mailboxes
Next, let’s list mailboxes disabled in the last 14 days:

Get-MailboxStatistics | Where {$_.DisconnectDate -gt (get-date).AddDays(-14)} | ft displayName,ServerName,DatabaseName,TotalItemSize -Autosize

Update 8/18/2011: Exchange 2010 includes the WhenMailboxCreated property for mailboxes, which makes this easier. The property doesn’t change when a mailbox is moved to another mailbox database.

The good news is, WhenMailboxCreated is a filterable property! This means we don’t need to run Get-Mailbox -ResultSize Unlimited to retrieve all mailboxes and then pipe the results to the Where-Object cmdlet to do the filtering. The filtering can occur on server-side.

This command retrieves all mailboxes created after 8/3/2011.

Get-Mailbox -Filter {WhenMailboxCreated -gt “8/3/2011″} | ft Name,WhenMailboxCreated -Auto

{ 7 comments… read them below or add one }

Mauro Rita June 25, 2008 at 12:56 pm

First of all, Congratulations on writing a great blog and on “moving to the MotherShip”.

Correct me if I’m wrong, but WhenCreated is the creation date of the AD object, not the mailbox’s, right?

Is there a way to find the mailbox creation date with Powershell, without something like the following link?

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.exchange.development∣=9b997efd-d3b3-4d18-a1a7-e3cfcbbf9d78 ?

Thank you.

Reply

Bharat Suneja July 1, 2008 at 8:22 am

Yes, whenCreated is the time the AD object (user account in this case) was created.

I started investigating the answer to your second question— something I asked myself as well when writing the post. Will update this post when I’ve narrowed that down.

Reply

Anonymous August 12, 2008 at 3:37 pm

Hi there,

I used the “get-mailboxstatistics | ft name,whenCreated” command

and I got the creation date. I’m assuming this is the mailbox creation date.

Reply

Bharat Suneja August 13, 2008 at 8:06 pm

@Anonymous: Get-MailboxStatistics cmdlet does not return Name or WhenCreated properties. It does return DisplayName.

The only two timestamps it returns is LastLogonTime and LastLogoffTime.

The WhenCreated property returned by both Get-User and Get-Mailbox is the whenCreated attribute from the AD account – the time that the user account was created.

That may or may not be the time when the mailbox is created in the Mailbox Database (It’s probably safe to assume that there’s some latency between account creation time and mailbox creation in MDB).

Also consider cases where existing AD accounts are mailbox-enabled.

Looking for a reliable way to retrieve mailbox creation time.

Reply

bapu September 29, 2008 at 8:50 am

So how do I see the report does it txt file?

Reply

Bharat Suneja September 29, 2008 at 9:08 am

@Bapu: Outputs to the console window you issue the command in. You can pipe the output to a text file by using:
>MyFile.txt

Powershell also has the Export-CSV cmdlet.

Reply

Jhon Drake May 22, 2014 at 12:00 am

Thanks for sharing nice scripts to report on different things such as user accounts created every week or month, user accounts modified, accounts disabled etc for SOX compliance. You can try automate utility ( http://www.mailboxaccessauditing.com/ ) to find out the mailbox creation date.

Reply

Leave a Comment

Previous post:

Next post: