☰
Related Products
ADManager Plus
ADAudit Plus
ADSelfService Plus
M365 Manager Plus
The user credentials provided in the Organization Settings page do not have sufficient privilege.
The user credential provided should satisfy the below criteria.
| Single domain forest | Multiple domain forest | |
|---|---|---|
| Exchange Management Shell available | The user credential should be added to the following groups.
|
The user credential should be added to the following groups.
|
| Exchange Management Shell unavailable | The user credential should be added to the Domain Admins group.
|
The user credential should be added to the following groups.
|
The Servers are not operational
This error could be due to any of the following reasons.
Exchange Reporter Plus uses port 389 for LDAP connection. If firewall is enabled, ensure that the port 389 is added to the exception list.
Remote PowerShell Network error
Unable to establish a connection to remote powershell.
General steps to check whether remote PowerShell can be connected from the product installed machine:
Note: If you have followed the correct procedure, then look for resolution steps.
Remote Powershell is not installed
Windows Remote Management Framework is not installed.
Download and install WinRM 2.0 using the link: https://www.microsoft.com/en-in/download/details.aspx?id=20430
If Mailbox Auditing reports don’t have records for some of the users
First, check if the users have been blocked from auditing by following the steps given below:
Don't see your error listed above?
Contact: support@exchangereporterplus.com
Cause:
- Diagnostic Logging has not been configured due to the unavailability of PowerShell.
- If configured, the desired audit event has not yet occurred.
Resolution:
- To configure Diagnostic Logging, open Exchange Management Shell on any one of the Exchange Servers and execute the below command after replacing with the server name.
‘%SERVER_NAME%\MSExchangeIS\9000 Private\Logons’ | Set-EventLogLevel -Level ‘Expert’
- After automatic configuration of Diagnostic Logging, the desired audit event would not have occurred. As a result there will be no data registered into the application logs. Please wait for any events to be recorded in the logs and for event collection to happen. In case of real-time events, data will be fetched immediately after the event has occurred.
Reasons for "Search-AdminAuditLog command failed"
Possible Cause:
Server (containing the "Arbitration mailbox") may be unreachable or non - operational owing to compromised Domain Controller(s), unavailability of servers, closure of Port 389 or an enabled firewall.
Resolution:
Exchange Reporter Plus uses port 389 for LDAP connection. If firewall is enabled, ensure that the port 389 is added to the exception list.
If failure prevails follow the next probable cause.
Database containing the "Arbitration mailbox" is dismounted.
Verify the reason by running the following script:
Identify the concerned database that has undergone mailbox arbitration using the following command:
Get-Mailbox -Arbitration | Select Name, Database, ServerName
Check if the mailbox database is mounted or not using the following command:
Get-MailboxDatabase -Identity '<Database Name>' -Status | Format-Table Name, Mounted
Resolution:
Mount the database using the following command:
Mount-Database -Identity '<Database Name>'
Arbitration Mailbox is corrupted.
To verify if the mailbox is corrupted, run the following script on EMS:
Get-Mailbox -arbitration
Resolution:
1) Open AD Users and Computers.
2) Expand the Domain and go to users OU.
3) Find the following accounts and DELETE them:
"SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042" "SystemMailbox{1f05a927-****-****-****-*******}" (Make a note of the GUID of previous system mailbox as it varies on every enviroment) 4) Open Command prompt, navigate to Exchange Setup files and run setup.com /preparead
5) Open the Exchange Management Shell and run the script below:
Enable-Mailbox -Arbitration -Identity "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042" Enable-Mailbox -Arbitration -Identity "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" Enable-Mailbox -Arbitration -Identity "SystemMailbox{1f05a927-****-****-****-*******}" (Remember to change *** to your Guid) Your arbitration mailboxes should now be fine, run "Get-Mailbox -arbitration" to confirm and all should appear with no errors. In the very unlikely event that the error still occurs, consider cause 4.
Content indexing is not running. MSExchangeSearch (Indexer) service is stopped.
Resolution:
1) Go to 'Services' in the server that contains the arbitration mailbox.
2) Start the 'MSExchangeSearch' Service by right clicking on 'Microsoft Exchange Search Indexer'.
3) Navigate to and click on 'Start'.
Don't see your error listed above?
Contact: support@exchangereporterplus.com
Cause:
The current credentials do not have sufficient privilege.
Resolution:
The user credential provided should satisfy the below criteria.
Single domain forest Multiple domain forest Exchange Management Shell available The user credential should be added to the following groups.
- Exchange Organization Management
- Domain Admins
The user credential should be added to the following groups.
- Exchange Organization Management
- Enterprise Admins
Exchange Management Shell unavailable The user credential should be added to the Domain Admins group.
- Domain Admins
The user credential should be added to the following groups.
- Exchange Organization Management
- Enterprise Admins
Cause:
The product would not be installed in the Exchange forest. Hence even after providing credentials with right privilege, Default Domain Controller policy will fail to configure automatically.
Resolution:
Configure Default Domain Controller Policy manually.
i) Log on to the domain controller using an administrative account.
ii) If Windows 2008, open Group Policy Management from Start -> Administrative tools.
iii) If Windows 2003, select Default Domain Controller Security Settings from Start -> Administrative tools.
iv) Navigate to ForestName -> Domains -> DomainName -> Group Policy Objects -> Default Domain Controller Policy and right click to Edit it.
v) Navigate to Computer Configuration -> Policies-> Windows Settings -> Security Settings -> Local Policies.
vi) Select Audit Policy.
vii) In the right pane, double click the following policy and enable "Success" and "Failure" settings.
- Audit directory service access
- Audit object access.
viii) Click Ok.
Don't see your error listed above?
Contact: support@exchangereporterplus.com
No data currently available for the report. Please wait for events.
Cause:
i. The desired audit events have not occurred. Hence there is no data currently available.
ii. The desired audit events have occurred. But the event collection is yet to happen.
iii. The Event Log Policy settings is configured for a small log size and "Overwrite events as needed" is enabled.
Resolution:
i. Exchange Reporter Plus has swept through the logs but the desired events have not occurred at the time of sweep. Wait for the desired audit events to be recorded in the event logs.
ii. Exchange Reporter Plus has a default ‘Event Fetch Interval’ of 2 hours for collecting the data from the logs periodically. Manually initiate the event collection process by clicking on the ‘Run Now’ link to immediately collect the data. For real-time events, there is no need to initiate the event collection manually. The data will be collected once the events are recorded to the logs.
iii. Ensure that the event log size is large enough so that the event log data will not get lost.
No data found for the selected period and filter values.
Cause:
The desired audit events are not available for the selected time period and chosen filter values.
Resolution:
Select a different time period and filter value to see the data in the reports.
Don't see your error listed above?
Contact: support@exchangereporterplus.com
Cmdlets return no value in Exchange Management Shell
Search-AdminAuditLog -StartDate 09/17/2018 -EndDate 10/02/2018 -ResultSize 100
Search-MailboxAuditLog -ShowDetails -StartDate 1/1/2016 -EndDate 3/1/2016 -ResultSize 100
When above-given Cmdlets return no value in the Exchange Management Shell or Remote PowerShell sessions, it means data is not available for mailbox auditing in the server itself. Please wait for the event to occur so that the logs can be generated.
Don't see your error listed above?
Contact: support@exchangereporterplus.com
Advanced audit reports and cmdlets used
| S.No | Report name | Cmdlets used |
|---|---|---|
| 1 | Mailbox Permission Changes |
|
| 2 | Mailbox Storage Quota Changes |
Parameters: |
| 3 | Mailbox Move Request |
|
| 4 | Mailbox Create and Delete |
|
| 5 | Send and Receive Connector Changes |
|
| 6 | Circular Logging Changes |
|
| 7 | Hub Transport Settings Changes |
|
| 8 | Folder Access Permission Changes |
|
| 9 | Mailbox Import Export Changes |
|
Audit actions logged and corresponding event IDs
| S.No | Actions | Event ID | Additional information |
|---|---|---|---|
| 1 | Self-logon | 1009 |
|
| 2 | Non-owner logon events | 1016, 1013 |
|
| 3 | Mailbox permissions modified (Exchange Server 2003) | 566 |
|
| 4 | Mailbox permission modified (Exchange Server 2008) | 5136 |
|
| 5 | Mailbox Send As permission change | 5136 |
|
| 6 | Mailbox quota modified (Exchange Server 2003) | 566 |
|
| 7 | Mailbox quota modified (Exchange Server 2008) | 5136 |
|
| 8 | Message size restriction change (Exchange Server 2003) | 566 |
|
| 9 | Message size restriction change (Exchange Server 2008) | 5136 |
|
| 10 | Mailbox activated | 5136 |
|
| 11 | Mailbox deactivated | 5136 |
|
| 12 | Mailbox moved action (Exchange Server 2003 and 2007) | 5136 |
|
| 13 | Mailbox moved action (Exchange Server 2010) | 5136 |
|
| 14 | Mailbox database mounted (Exchange Server 2010) | 9523 |
|
| 15 | Mailbox database mounted (Exchange Server 2013) | 40008 |
|
| 16 | Mailbox database mounted (Exchange Server 2016) | 40018 |
|
| 17 | Mailbox database dismounted (Exchange Server 2010) | 9539 |
|
| 18 | Mailbox database dismounted (Exchange Server 2013) | 40009 |
|
| 19 | Mailbox database dismounted (Exchange Server 2016) | 40028 |
|
| 20 | Public folder database mount | 9523 |
|
| 21 | Public folder database dismount | 9539 |
|
| 22 | Circular logging (Exchange Server 2003) | 566 |
|
| 23 | Circular logging (Exchange Server 2008) | 5136 |
|
| 24 | Receive connector removed | 5141 |
|
| 25 | Receive connector created | 5137 |
|
| 26 | Send connector changes (Exchange Server 2008) | 5136 |
|
| 27 | Receive connector changes (Exchange Server 2008) | 5136 |
|
| 28 | Send connector enabled (Exchange Server 2008) | 5136 |
|
| 29 | Receive connector enabled (Exchange Server 2008) | 5136 |
|
| 30 | Send connector changes (Exchange Server 2003) | 566 |
|
| 31 | Receive connector changes (Exchange Server 2003) | 566 |
|
| 32 | Send connector enabled (Exchange Server 2003) | 566 |
|
| 33 | Receive connector enabled (Exchange Server 2003) | 566 |
|
| 34 | Hub transport settings (Exchange Server 2003) | 566 |
|
| 35 | Hub transport settings (Exchange Server 2008) | 5136 |
|
| 36 | Distribution list created and deleted | 4744, 4749, 4759, 4748, 4753, 4763 |
|
| 37 | Distribution list member added and removed | 4746, 4751, 4761, 4747, 4752, 4762 |
|
Don't see your error listed above?
Contact: support@exchangereporterplus.com
Copyright © 2023, ZOHO Corp. All Rights Reserved.
Previous Topic