Chat now with support
Chat with Support

Change Auditor 7.0.3 - PowerShell Command User Guide

Managing Windows File System auditing

Change Auditor for Windows File Server tracks, audits, and alerts on file and folder changes in real time, translating events into simple terms and eliminating the time and complexity required by native auditing. The auditing scope can be set on an individual file or folder or an entire file system recursive or non-recursive. You can include or exclude certain files or folders from the audit scope to ensure a faster and more efficient audit process.

Managing Windows file system auditing is available through the following PowerShell commands:

Use this command to define a folder or file paths to audit.

NOTE:  

-IncludePath

Specifies the folder or file to audit.

-IncludePathType

Specifies the type of path to audit based on one of the following values:

-IncludeScope

 

Specifies the scope to monitor for the Includepath based on one of the following values:

-AuditEvents

The events to audit.

Use Get-CAWindowsFSEventClassInfo to get the list of event classes.

-IncludeMask (Optional)

Specifies what to include in the selected folder or file path to audit. Entering * will audit all files and folders in the selected folder.

-ExcludeFilePaths (Optional)

Specifies the names and paths of any files to exclude from auditing.

The default is set to None.

-ExcludeFolderPaths (Optional)

Specifies the names and paths of any subfolders to exclude from auditing. The default is set to None.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled on the selected path or folder. The default is set to false.

New-CAWindowsFSAuditObject -IncludePath "C:\ExampleDirectory" -IncludePathType SystemFolder -IncludeScope ScopeSubTree -AuditEvents $auditEvents -IncludeMask "*"
–ExcludeFolderPaths "C:\ExampleDirectory\ExcludedDirectory"

New-CAWindowsFSAuditObject -IncludePath "C:\ExampleDirectory" -IncludePathType SystemFolder -IncludeScope ScopeOneLevel -AuditEvents $auditEvents -IncludeMask "*" –ExcludeFilePaths "*.tmp"

To enable Windows File System auditing, you must first create an auditing template for each file or folder to audit. Each auditing template defines the files or folders to audit, the auditing scope, and the excluded processes.

Use this command to create a Windows file system auditing template.

-Connection

A connection obtained by using the Connect-CAClient command.

-TemplateName

The template name.

-AuditObjects

The folder or file path objects created using
New-CAWindowsFSAuditObject.

-ExcludeProcess (Optional)

The list of processes to exclude from auditing. The default is none.

-DiscardTooltipEvents (Optional)

Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the sub-folders when you hover over the parent folder to see the tooltip. To ignore the folder opened events generated by this action set this parameter to 'true'.

-DiscardBrowsingEvents (Optional)

Multiple file open events are generated by file scans because Windows Explorer opens and reads the header of all files contained in an opened folder for information to display in the window. To ignore the file open events generated by this action set this parameter to 'true'.

-Disabled (Optional)

Specifies whether the template is enabled or disabled. Default is set to false.

New-CAWindowsFSAuditTemplate -Connection $connection -TemplateName 'New-FSTemplate' -AuditObjects $auditObject -ExcludeProcess $excludeProcess -DiscardTooltipEvents $true -DiscardBrowsingEvents $true -Disabled $false

Use this command to delete a Windows File System auditing template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAWindowsFSAuditTemplate object to remove. Obtain the template objects using the Get-CAWindowsFSAuditTemplates command and filter to select the object to remove.

-Force (Optional)

Removes template without prompting for a confirmation. The default is false.

Remove-CAWindowsFSAuditTemplate -Connection $connection -Template $removeTemplate

 

Use this command to edit an existing Windows File System auditing template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAWindowsFSAuditTemplate object to edit. Obtain the template objects using the Get-CAWindowsFSAuditTemplates command and filter to select the object to remove.

-TemplateName (Optional)

The template name.

-AuditObjects (Optional)

The folder or file path objects created using
New-CAWindowsFSAuditObject.

-ExcludeProcess (Optional)

The list of processes to exclude from auditing. The default is none.

-DiscardTooltipEvents (Optional)

Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the sub-folders when you hover over the parent folder to see the tooltip. To ignore the folder opened events generated by this action set this parameter to 'true'.

-DiscardBrowsingEvents (Optional)

Multiple file open events are generated by file scans because Windows Explorer opens and reads the header of all files contained in an opened folder for information to display in the window. To ignore the file open events generated by this action set this parameter to 'true'.

-Disabled (Optional)

Set to true or false to enable or disable the template.

Set-CAWindowsFSAuditTemplate -Connection $connection -Template $Template -ExcludeProcess "avsoftware.exe" -TemplateName "NewTemplateName"

Use this command to see all the Windows File System auditing templates available within your installation.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAWindowsFSAuditTemplates -Connection $connection

$template = Get-CAWindowsFSAuditTemplates -Connection $connection | where TemplateName -eq TemplateName

Use this command to get a list of all available Windows File System auditing event classes.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAWindowsFSEventClassInfo -Connection $connection

 

Managing Fluid File System auditing

Change Auditor for Fluid File System tracks, audits, reports, and alerts on file and folder changes in real time, translating events into simple text and eliminating the time and complexity required by native auditing. The auditing scope can be set on an individual file or folder or an entire file system recursive or non-recursive. Change Auditor also allows you to include or exclude certain files or folders from the audit scope to ensure a fast and efficient audit process.

Change Auditor captures events and provides detailed information relating to the following activities:

The following commands are available to manage Fluid File System auditing:

Use this command to see a list of all Fluid File Service clusters available to audit.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAFluidFSClusters -Connection $connection

Use this command to see if encryption has been set. Encryption protects the data as it passes between the FluidFS cluster and the Change Auditor agents.

-Connection

A connection obtained by using the Connect-CAClient command.

-ClusterName

The name of the FluidFS cluster to audit.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager.

Get-CAFluidFSEncryptionStatus -Connection $connection -ClusterName $clustername -ClusterConfigurationCredential $credential

Use this command to get a list of all available FluidFS event classes.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAFluidFSEventClassInfo -Connection $connection

Use this command to see all the Fluid File System templates available within your installation.

-Connection

A connection obtained by using the Connect-CAClient command.

Example: Get a list of all FluidFS templates

Get-CAFluidFSTemplates -Connection $connection

Use this command to get a list of all volumes on a specified cluster.

-Connection

A connection obtained by using the Connect-CAClient command.

-ClusterName

The name of the cluster from which to retrieve volume names.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager. This allows the Coordinator to connect with the Enterprise Manager Data Collector service and populate the list of available volumes to audit.

Example: See a list of all available volumes on a cluster

Get-CAFluidFSVolumes -Connection $connection -ClusterName $clustername -ClusterConfigurationCredential $credential

Use this command to define which volumes to audit.

 

-Volume

The name of the volume to audit.

-IncludePaths

The folders\files to include.

-EventClasses

The events to audit.

-ExcludeFilePaths (Optional)

The name and path of files to exclude from auditing.

-ExcludeFolderPaths (Optional)

The name and path of subfolders to exclude from auditing.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled on the volume. The disable feature allows you to temporarily stop auditing the specified volume without having to remove the auditing template or individual volume from a template.

$auditVolume = New-CAFluidFSAuditVolume -Volume $volumes[0] -IncludePaths $includePaths -EventClasses $fluidFSEventClasses -ExcludeFilePaths $excludeFilePaths -ExcludeFolderPaths $excludeFolderPaths -Disabled $False

To enable FluidFS auditing in Change Auditor, you must first create an auditing template for each file server to audit. Each auditing template defines the location of the file server, the auditing scope, and the Change Auditor agents that are to receive the events.

Use this command to create a Fluid File System auditing template.

Returns: A FluidFS template object.

-Connection

A connection obtained by using the Connect-CAClient command.

-ClusterName

The name of the cluster to audit.

-Agents

The Change Auditor agents that are to receive the FluidFS events.

-AuditItems

The volumes and their list of exclusions and inclusions.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager. This allows the Coordinator to connect with the Enterprise Manager Data Collector service and populate the list of available volumes to audit.

-Disabled (Optional)

Specifies whether the template is enabled or disabled.

New-CAFluidFSTemplate -Connection $connection -ClusterName $clustername -Agents $agents -AuditItems $auditItems -ClusterConfigurationCredential $credential
-Disabled $False

Use this command to delete a FluidFS to delete a template when a connection cannot be made with the FluidFS cluster.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The template to delete.

Clear-FluidFSTemplate -Connection $connection -Template $template

Use this command to edit an existing Fluid File System template.

NOTE: You can also use the Enable-CAAgentTemplate and Disable-CAAgentTemplate to enable or disable the template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The template to edit.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager. This allows the Coordinator to connect with the Enterprise Manager Data Collector service and populate the list of available volumes to audit.

-Agents (Optional)

The Change Auditor agents that are to receive the FluidFS events.

-AuditItems (Optional)

The volumes and their list of exclusions and inclusions.

-Enable (Optional)

Set to true or false to enable and disable the template.

Set-CAFluidFSTemplate -Connection $connection -Template $template -ClusterConfigurationCredential $credential -Enable True -Agents $agents -AuditItems $auditItems

Use this command to enable or disable encryption for auditing on the Fluid File System cluster. Encryption allows you to protect the event traffic as it passes between the FluidFS cluster and the Change Auditor agents.

-Connection

A connection obtained by using the Connect-CAClient command.

-ClusterName

The name of the cluster to audit.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager.

-EncryptionCredential

The service account credentials for the cluster to use when encrypting events.

Set-CAFluidFSEncryptionCredential -Connection $connection -ClusterName $clustername -ClusterConfigurationCredential $credential -EncryptionCredential $EncryptionCredential

Managing Azure Active Directory auditing

Change Auditor audits activity in the Azure portal that corresponds to the events in the Azure Active Directory auditing logs and sign-in activity. Managing Azure Active Directory auditing is available through the following PowerShell commands:

NOTE: When you delete a template (see Remove-CAAgentTemplate), the web application created in Azure Active Directory remains. You can delete the web application using the Azure management portal. If you do not have the portal, see https://technet.microsoft.com/en-us/library/dn832618.aspx for instructions.

The following sample scripts are available in the Change Auditor client folder. By default they are located here: C:\Program Files\Quest\ChangeAuditor\Client\PowerShell Sample Scripts:

 

Use this command to create a template for auditing Azure Active Directory.

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent is used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-WebAppCreationCredential

Azure Active Directory credentials required to create an Azure web application. The credential object is obtained by using the Get-Credential command.

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 720.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 30.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled for Azure Active Directory.

New-CAAzureADTemplate -Connection $connection -WebAppCreationCredential $azureCreds -AgentInfo $agent –HistoricalEventCollectionDays 30 -SignIns $True -AuditLogs $True

Alternatively, use these parameters if you are using a pre-created Azure web application that Change Auditor will use for authentication.

For details on integrating applications with Azure Active Directory and creating a web application, consult the Microsoft documentation. When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them.

The following permissions must be assigned to the Azure web application:

Windows Azure Active Directory

Application Permissions:

Delegated Permissions:

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent will be used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Azure Active Directory tenant/directory that you want to audit (for example: yourTenantName.onmicrosoft.com).

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 720.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 30.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled for Azure Active Directory.

New-CAAzureADTemplate -Connection $connection -AgentInfo $agent -WebAppKey $webAppKey -WebAppId $webAppId -Tenant $tenant –HistoricalEventCollectionDays 30
-SignIns $True -AuditLogs $True

Use this command to edit the web application key and ID, and the agent in an existing Azure Active Directory template. This also allows you to replace an expired or revoked web application.

NOTE:  

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent will be used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by the Get-CAAzureADTemplates command.

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

Set-CAAzureADTemplate -Connection $connection -Template $template -WebAppKey $webAppKey -WebAppId $webAppId

Set-CAAzureADTemplate -Connection $connection -Template $template -SignIns $True
-AuditLogs $True

Use this command to see all the Azure Active Directory templates available within your installation.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAAzureADTemplates -Connection $connection

Managing Office 365 auditing

Change Auditor for Exchange and Change Auditor for SharePoint have been extended to include the auditing of activities taking place in Exchange Online, SharePoint Online, and OneDrive for Business. The following commands are available to manage Office 365 auditing:

NOTE: When you delete a template (see Remove-CAAgentTemplate), the web application created in Azure Active Directory remains. You can delete the web application using the Azure management portal. If you do not have the portal, see https://technet.microsoft.com/en-us/library/dn832618.aspx for instructions.

Use this command to create a template for auditing Office 365 Exchange Online, SharePoint Online, and OneDrive for Business.

 

-AgentInfo

An agent obtained by using the Get-CAAgents command.

-Connection

A connection obtained by using the Connect-CAClient command.

-WebAppCreationCredential

Azure Active Directory account credentials required to create an Azure web application. The credential object is obtained by using the Get-Credential command.

-AuditAdministration (Optional)

Specifies whether to audit administration events.

-AuditOrganization (Optional)

Specifies whether to audit all Exchange Online mailboxes accessed by users other than the mailbox owner.

-Disabled (Optional)

Specifies whether the auditing template is enabled or disabled.

-EnableOneDrive (Optional)

Specifies whether OneDrive for Business auditing is enabled or disabled.

-EnableSharePoint (Optional)

Specifies whether SharePoint Online auditing is enabled or disabled.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 168.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 7.

-O365ExchangeAdminCredential (Optional)

An account with the Exchange Administrator role. It is used to configure the mailbox auditing settings in the tenant that are defined in the template (such as enabling auditing of owner activity). These credentials are used periodically by the agent to validate or update auditing settings, so they are securely stored in Change Auditor.

-ExcludedOperations (Optional)

String that specifies events to exclude from the Office 365 OneDrive for Business event, Office 365 SharePoint Online event, and Office 365 Exchange Online event.

These generic dynamically constructed events created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

New-CAO36Template -Connection $connection -WebAppCreationCredential $azureCreds -AgentInfo $agent -O365ExchangeAdminCredential $o365Creds -AuditAdministration $true –AuditOrganization $true –HistoricalEventCollectionDays 7

Alternatively, use these parameters when using a pre-created Azure web application that will be used by Change Auditor for authentication.

For details on integrating applications with Azure Active Directory and creating a web application, consult the Microsoft documentation. When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them.

The following permissions must be assigned to the Azure web application:

Windows Azure Active Directory

Application Permissions:

Delegated Permissions:

Office 365 Management APIs

Application Permissions:

Delegated Permissions:

-AgentInfo

An agent object obtained by using the Get-CAAgents command.

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Azure AD tenant/Directory that you would like Change Auditor to audit (for example: yourTenantName.onmicrosoft.com).

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-AuditAdministration (Optional)

Specifies whether to audit administration events.

-AuditOrganization (Optional)

Specifies whether to audit all Exchange Online mailboxes accessed by users other than the mailbox owner.

-Disabled (Optional)

Specifies whether the auditing template is enabled or disabled.

-EnableOneDrive (Optional)

Specifies whether OneDrive for Business auditing is enabled or disabled.

-EnableSharePoint (Optional)

Specifies whether SharePoint Online auditing is enabled or disabled.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 7.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 168.

-O365ExchangeAdminCredential (Optional)

An account with the Exchange Administrator role. It is used to configure the mailbox auditing settings in the tenant that are defined in the template (such as enabling auditing of owner activity). These credentials are used periodically by the agent to validate or update auditing settings, so they are securely stored in Change Auditor.

-ExcludedOperations (Optional)

String that specifies events to exclude from the Office 365 OneDrive for Business event, Office 365 SharePoint Online event, and Office 365 Exchange Online event.

These generic dynamically constructed events created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

New-CAO365Template -Connection $connection -AgentInfo $agent -O365ExchangeAdminCredential $o365Creds -WebAppKey $webAppKey -WebAppId $webAppId - Tenant $tenant -AuditAdministration $true –AuditOrganization $true
–HistoricalEventCollectionDays 7

Use this command to edit the account used to access Office 365 Exchange Online, the type of service and events to audit, and select a new agent.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by using the Get-CAO365Templates command.

-WebAppCreationCredential

Azure Active Directory account credentials required to create an Azure web application. The credential object is obtained by using the Get-Credential command.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-AgentInfo (Optional)

An agent object obtained by using the Get-CAAgents command.

-AuditAdministration (Optional)

Specifies whether to audit administration events.

-AuditOrganization (Optional)

Specifies whether to audit all Exchange Online mailboxes accessed by non-owners.

-EnableExchange (Optional)

Specifies whether Exchange Online auditing is enabled or disabled.

-EnableOneDrive (Optional)

Specifies whether OneDrive for Business auditing is enabled or disabled.

-EnableSharePoint (Optional)

Specifies whether SharePoint Online auditing is enabled or disabled.

-O365ExchangeAdminCredential (Optional)

An account with the Exchange Administrator role. It is used to configure the mailbox auditing settings in the tenant that are defined in the template (such as enabling auditing of owner activity). These credentials are used periodically by the agent to validate or update auditing settings, so they are securely stored in Change Auditor.

-ExcludedOperations (Optional)

String that specifies events to exclude from the Office 365 OneDrive for Business event, Office 365 SharePoint Online event, and Office 365 Exchange Online event.

These generic dynamically constructed events created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

Set-CAO365Template -Connection $connection -Template $template
-AuditOrganization $true

Set-CAO365Template -Connection $connection -Template $template -EnableSharePoint $true -EnableOneDrive $true

Set-CAO365Template -Connection $connection -Template $template -WebAppId $webAppId -WebAppKey $webAppKey

Set-CAO365Template -Connection $connection -Template $template -AgentInfo $agent -WebAppId $webAppId -WebAppKey $webAppKey -O365ExchangeAdminCredential $o365LiveCreds

Use this command to see all the Office 365 templates available within your installation.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAO365Templates -Connection $connection

Use this command to remove a template for auditing Office 365 Exchange Online, SharePoint Online, and OneDrive for Business.

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Office 365 tenant that is used for auditing. For example, yourTenantName.onmicrosoft.com.

Remove-CAO365Template -Connection $connection -Tenant $tenant

Use this command to find specific mailboxes that can be added to an existing Office 365 Exchange Online template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Office 365 tenant that is used for auditing. For example, yourTenantName.onmicrosoft.com.

-SearchText (Optional)

The search criteria specified as the mailbox display name. This can be the full name of the mailbox to return a specific mailbox or the starting characters to return a list of mailboxes that start with those characters.

-Skip (Optional)

The number of objects to exclude from the list of returned objects, starting from the top.

-First (Optional)

The number of objects to return.

-IncludeTotalCount (Optional)

The total number of objects in the data set. Values specified for the First or Skip parameters do not impact this count.

Get-CAO365ExchangeMailboxes -Connection $connection -Tenant $tenant -SearchText "a"

Use this command to audit specific mailboxes in your organization by adding them to an existing Office 365 Exchange Online template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by using the Get-CAO365Templates command.

-Mailboxes

Mailbox objects obtained by using the Get-CAO365ExchangeMailboxes command.

-AuditOwnerEvents (Optional)

A switch that indicates that the added mailboxes will be audited for owner activity in addition to the non-owner activity. By default, the mailboxes will be audited for non-owner mailbox activity only.

-OverwriteExisting (Optional)

If the mailboxes already exist in the template, this switch indicates that the mailboxes will have their current owner/non-owner auditing settings overwritten with new settings.

Add-CAO365TemplateMailboxes -Connection $connection -Template $template -Mailboxes $mailboxes –AuditOwnerEvents

Use this command to remove mailboxes from an existing Office 365 Exchange Online template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by using the Get-CAO365Templates command.

-Mailboxes

Mailbox objects obtained by using the Get-CAO365ExchangeMailboxes command.

-All (Optional)

A switch that indicates that all mailboxes will be removed from the template.

Remove-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template –All

Use this command to retrieve a list of mailboxes being audited by a particular Office 365 Exchange Online template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by using the Get-CAO365Templates command.

-AuditTypeFilter

Parameter that allows you to narrow the search based on the type of activities being audited: non-owner only, owner (non-owner, owner), or any (non-owner only, owner and non-owner).

-DisplayNameFilter

The search criteria specified as the mailbox display name. This can be the full name of the mailbox to return a specific mailbox or the starting characters to return a list of mailboxes that start with those characters.

-Skip (Optional)

The number of objects to exclude from the list of returned objects, starting from the top.

-First (Optional)

The number of objects to return.

-IncludeTotalCount (Optional)

The total number of objects in the data set. Values specified for the First or Skip parameters do not impact this count.

Get-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template

Get-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template -DisplayNameFilter "John S" -AuditTypeFilter NonOwnerOnly

 

Related Documents