Exchange 2010 allows auditing of administrative actions. All actions can be audited or just specific cmdlets and parameters. To enable Audit Logging open the Exchange Management Shell and run the following commands.
Audit All cmdlets
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *
Only audit New-Mailbox, all transport rules, all management, all set-transport cmdlets
Set-AdminAuditLogConfig -AdminAuditLogCmdlets New-Mailbox, *TransportRule, *Management, Set-Transport*
Set-AdminAuditLogConfig -AdminAuditLogParameters *
Set-AdminAuditLogConfig -AdminAuditLogParameters Database, *Address*, Custom*, *Region
Audits just the parameters that have Database, all parameters with *Address*, begins with Custom, ends with Region.
Set-AdminAuditLogConfig -AdminAuditLogMailbox [email protected]
All auditing is sent to the mailbox of AdminAudit.
Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
All of the commands can be run on a single line if you prefer.
After creating a new mailbox by either using the EMC or the EMS, an email is sent to the AdminAudit Mailbox. Make sure the Mailbox is secured appropriately and archive or delete the mail after a specified amount of time. A command Set-AdminAuditLogConfig –AdminAuditLogAgeLimit DD.HH:MM:SS is not available for the RTM release of 2010 so be sure to watch the size of the mailbox.
Below is a screenshot of the message sent to the AdminAudit Mailbox after creating a new Mailbox and User.