Hi all,

According to the link:

https://technet.microsoft.com/en-us/library/dd335144%28v=exchg.150%29.aspx

I found that an entry log we have "Succeeded" field and "Error" field but seem that I always see that the "succeeded" is TRUE and the "ERROR" is BLANK in any cases.

So I wonder that how can we log an audit with "succeeded" is FALSE. Can anyone give an example for me please?

Thanks a lot !

Anyone can help please?

Hi,

We can use the Search-AdminAuditLog cmdlet to search the contents of the administrator audit log. Also use IsSuccess parameter to filter out the failure logs.

The IsSuccess parameter specifies whether only administrator audit log entries that indicated a success or failure should be returned. Valid values are $true and $false.

For detailed information about audit log, please refer to :

https://technet.microsoft.com/en-us/library/ff459250(v=exchg.150).aspx

Best Regards,

David

Thanks for your reply.

I am aware of how to search administrator audit log. I just have no idea when the result of audit log return $false. Because I cannot catch any cases like this in my environment. So could you point out one example for that?

Thanks !

Hi,

when the value was False, This represented that the cmdlet in the CmdletName field ran unsuccessfully. 

regards,

David 

Can you point out one example can make the value is FALSE?

Thanks !

Hi,

I have tested in my lab . As the cmdlet in the CmdletName field ran successfully ,they displayed true.

[PS] C:\Windows\system32>Search-Adminauditlog -cmdlets add-adpermission -startdate 05/28/2015 -enddate 06/12/2015

RunspaceId         : 0e0597a2-e8f9-4d9c-acb0-29f3425cca9e

ObjectModified     : CU1.com/Users/test 1

CmdletName         : Add-ADPermission

CmdletParameters   : {Identity, User, ExtendedRights}

ModifiedProperties : {}

Caller             : CU1.com/Users/Administrator

Succeeded          : True

Error              : None

RunDate            : 6/11/2015 2:02:41 PM

OriginatingServer  : EXCH2-CU1 (14.03.0123.002)

Identity           : RgAAAADIqoR4c7lgRqYnR2xT9kJTBwCgzabCy1CAS72uxiBRMedaAAAAZL2fAACgzabCy1CAS72uxiBRMedaAAIMpAksAAAJ

IsValid            : True

 

RunspaceId         : 0e0597a2-e8f9-4d9c-acb0-29f3425cca9e

ObjectModified     : CU1.com/Users/test 1

CmdletName         : Add-ADPermission

CmdletParameters   : {Identity, User, ExtendedRights}

ModifiedProperties : {}

Caller             : CU1.com/Users/Administrator

Succeeded          : True

Error              : None

RunDate            : 6/10/2015 1:41:36 PM

OriginatingServer  : EXCH2-CU1 (14.03.0123.002)

Identity           : RgAAAADIqoR4c7lgRqYnR2xT9kJTBwCgzabCy1CAS72uxiBRMedaAAAAZL2fAACgzabCy1CAS72uxiBRMedaAAIMpAkpAAAJ

IsValid            : True

 

RunspaceId         : 0e0597a2-e8f9-4d9c-acb0-29f3425cca9e

ObjectModified     : CU1.com/Users/test 1

CmdletName         : Add-ADPermission

CmdletParameters   : {Identity, User, ExtendedRights}

ModifiedProperties : {}

Caller             : CU1.com/Users/Administrator

Succeeded          : True

Error              : None

RunDate            : 6/10/2015 1:39:27 PM

OriginatingServer  : EXCH2-CU1 (14.03.0123.002)

Identity           : RgAAAADIqoR4c7lgRqYnR2xT9kJTBwCgzabCy1CAS72uxiBRMedaAAAAZL2fAACgzabCy1CAS72uxiBRMedaAAIMpAkoAAAJ

IsValid            : True

I suggest you can try to run "C:\Windows\system32>Search-Adminauditlog -cmdlets your coommand -startdate 05/28/2015 -enddate 06/12/2015 -IsSuccess $false"

Regards,

David

• Edited by David Wang_Microsoft contingent staff 23 hours 16 minutes ago

Thanks David,

As I mention above.. I cannot find any cases that return the result is FALSE. That's all I am asking about and appreciated anyone can point me out one example to have the FALSE case in Admin log.

Thanks !

Hi,

I have tested in my lab . As the cmdlet in the CmdletName field ran successfully ,they displayed true.

[PS] C:\Windows\system32>Search-Adminauditlog -cmdlets add-adpermission -startdate 05/28/2015 -enddate 06/12/2015

RunspaceId         : 0e0597a2-e8f9-4d9c-acb0-29f3425cca9e

ObjectModified     : CU1.com/Users/test 1

CmdletName         : Add-ADPermission

CmdletParameters   : {Identity, User, ExtendedRights}

ModifiedProperties : {}

Caller             : CU1.com/Users/Administrator

Succeeded          : True

Error              : None

RunDate            : 6/11/2015 2:02:41 PM

OriginatingServer  : EXCH2-CU1 (14.03.0123.002)

Identity           : RgAAAADIqoR4c7lgRqYnR2xT9kJTBwCgzabCy1CAS72uxiBRMedaAAAAZL2fAACgzabCy1CAS72uxiBRMedaAAIMpAksAAAJ

IsValid            : True

 

RunspaceId         : 0e0597a2-e8f9-4d9c-acb0-29f3425cca9e

ObjectModified     : CU1.com/Users/test 1

CmdletName         : Add-ADPermission

CmdletParameters   : {Identity, User, ExtendedRights}

ModifiedProperties : {}

Caller             : CU1.com/Users/Administrator

Succeeded          : True

Error              : None

RunDate            : 6/10/2015 1:41:36 PM

OriginatingServer  : EXCH2-CU1 (14.03.0123.002)

Identity           : RgAAAADIqoR4c7lgRqYnR2xT9kJTBwCgzabCy1CAS72uxiBRMedaAAAAZL2fAACgzabCy1CAS72uxiBRMedaAAIMpAkpAAAJ

IsValid            : True

 

RunspaceId         : 0e0597a2-e8f9-4d9c-acb0-29f3425cca9e

ObjectModified     : CU1.com/Users/test 1

CmdletName         : Add-ADPermission

CmdletParameters   : {Identity, User, ExtendedRights}

ModifiedProperties : {}

Caller             : CU1.com/Users/Administrator

Succeeded          : True

Error              : None

RunDate            : 6/10/2015 1:39:27 PM

OriginatingServer  : EXCH2-CU1 (14.03.0123.002)

Identity           : RgAAAADIqoR4c7lgRqYnR2xT9kJTBwCgzabCy1CAS72uxiBRMedaAAAAZL2fAACgzabCy1CAS72uxiBRMedaAAIMpAkoAAAJ

IsValid            : True

I suggest you can try to run "C:\Windows\system32>Search-Adminauditlog -cmdlets your coommand -startdate 05/28/2015 -enddate 06/12/2015 -IsSuccess $false"

Regards,

David

• Edited by David Wang_Microsoft contingent staff Friday, June 12, 2015 8:12 AM