locked
Search-MailboxAuditLog script extremely slow RRS feed

  • Question

  • Hi!

    I confess I'm not at all a skilled PowerShell script writer. But I'm quite a good script-thief. I needed a script to check last SignIn by every mailbox owner within the last 30 days and present the data in a csv-file and so on a scheduled basis. As the mailbox audit logs seem to be the most reliable source for this I googled and found this script. 

    It gives me what I want BUT, I need some help with this theft because the script takes 7 hours to run through approximatelly 2500 mailboxes. If I use the parameter -LogonTypes Owner, which I would like to use, instead of -Operations MailboxLogin,Create the script takes days to run.

    Is there a way to make it runs faster or is there another way to do this? Or is Search-MailboxAuditLog this slow to use?

    _______

    Measure-Command -Expression {
        #

    # $mailboxes = Get-Mailbox | ?{$_.AuditEnabled}
    $mailboxes = Get-Mailbox -ResultSize 2600  | Where-Object {$_.RecipientTypeDetails -eq “UserMailbox”; Start-Sleep -m 500}
    $mailboxes | ForEach-Object {
      Search-MailboxAuditLog -Identity $_.name -ShowDetails -StartDate ([system.DateTime]::Now.AddDays(-30)) -EndDate ([system.DateTime]::Now.AddDays(+1)) -Operations MailboxLogin,Create | select Operation,LogonType,MailboxOwnerUPN,LogonUserDisplayName,LastAccessed -First 1
    }| Export-Csv -Path c:\LastLogin_2.csv -Encoding ascii -NoTypeInformation

    }

    _______

    Thanks in advance for any help.

    • Moved by Manu Meng Friday, April 26, 2019 9:12 AM relocate
    Thursday, April 25, 2019 10:46 AM

All replies

  • Hi Antnose,

     

    Since your environment has 2500 user mailboxes, the script might take a long time to run.

     

    As a workaround, you could run the following command to export all user mailboxes statics.

     

    Get-MailBox -ResultSize Unlimited | Get-MailboxStatistics | Export-Csv c:\log.csv

     

    Then open the csv file with Excel, navigate to 'LastLogonTime' column, sort the data with Newest to Oldest. After that you could review the mailboxes last sign in within the last 30 days clearly.

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, April 26, 2019 4:39 AM
  • Hi Kelvin!

    Thanks for your answer. But I have been there and done it and got depressed doing it.

    Read this and you'll understand why. https://www.petri.com/get-mailboxstatistics-cmdlet-wrong

    As I interpret the text Microsoft themselves has degenerated the data stored in LastLogonTime for the mailbox. We could quite easily see that the data couldn't be trusted.


    Best regards

    Friday, April 26, 2019 6:32 AM
  • Hi Antnose,

     

    Thanks for pointing out the LastLogonTime parameter not suit in the scenario.

     

    To research the issue in depth and better improve the script, I will help you move the thread to a more appropriate forum: Exchange server development.

     

    Thanks for your understandings!

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, April 26, 2019 9:12 AM
  • Thanks for your help Kelvin!

    Niklas

    Monday, April 29, 2019 7:02 AM
  • I know this doesnt help much but if you hit a wall for returns you could do it in parrallel

    Write-Output "function started at:$((get-date).AddHours(-5))"

    # get the start time ... in this example were doing back 36 days and only grabbing a weeks of data

    $startDate = ([datetime]::Today).AddDays(-36)

    $AdminCred = Get-Credential #Start some Parrallel Jobs #Block $block = { Param( $AdminCred, $n, $startdate ) Connect-ExchangeOnline -Credential $AdminCred Search-MailboxAuditLog -StartDate $startDate.adddays($n) -EndDate ($startDate.AddDays($n) | get-date -Hour 23 -Minute 59 -Second 59) -LogonTypes @('admin','Delegate') -ExternalAccess:$false -showDetails:$true -ResultSize 250000 } #Remove all jobs created. Get-Job | Remove-Job #Run All the Parrallel Jobs $num = 0..6 foreach($n in $num){ Start-Job -Scriptblock $Block -ArgumentList @($admincred,$n,$startdate) } #Wait for all jobs to finish. do {start-sleep 1} until ($(Get-Job -State Running).count -eq 0) #Get information from each job. $adminAndDelegateMailboxAuditLog = $null foreach($job in Get-Job){ $adminAndDelegateMailboxAuditLog+= Receive-Job -Id ($job.Id) } #Remove all jobs created. Get-Job | Remove-Job $adminAndDelegateMailboxAuditLog.count Write-Output "function ended at:$((get-date).AddHours(-5))"



    William Lee

    Tuesday, January 5, 2021 4:29 PM