Article ID: 949722 - View products that this article applies to.
In an Exchange 2007 environment, you may want to know who has accessed the message tracking logs. To do this, you can enable LogPipeLineExecutionDetails registry entry. Then, when a user runs the Get-MessageTrackingLog command in Exchange Management Shell (EMS), an Event ID 800 is logged in the Powershell log. However, the user name is not included the event. Instead, the following Event is logged in the PowerShell log:
Event Type: Information Event Source: PowerShell Event Category: (8) Event ID: 800 Date: <Date> Time: <Time> User: N/A Computer: <server name> Description: The description for Event ID ( 800 ) in Source ( PowerShell ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: get-messagetrackinglog -server 152433m2, DetailSequence=1 DetailTotal=1 SequenceNumber=75 HostName=ConsoleHost HostVersion=22.214.171.124 HostId=467ed744-9a87-407f-972b-25eca13dec7d EngineVersion=126.96.36.199 RunspaceId=0086a970-acd4-4f80-9167-843f996fd6ec PipelineId=8 ScriptName= CommandLine=get-messagetrackinglog <parameter> <value>, ParameterBinding(Get-MessageTrackingLog): name="<parameter>"; value="<value>"
Therefore, you cannot obtain any information about the authenticated user who ran the command.
To resolve this problem, install Update Rollup 5 for Exchange 2007 Service Pack 1. For more information about Update Rollup 5 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic:
Description of Update Rollup 5 for Exchange Server 2007 Service Pack 1For more information about how to obtain the latest Exchange service pack or update rollup, see the following Exchange Help topic:
How to Obtain the Latest Service Pack or Update Rollup for Exchange 2007To enable this hotfix, you must create the following registry entry on the Exchange Hub Transport server:
2 Client MonitoringTo do this, follow these steps:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
User information is not logged in Event ID 800 in the PowerShell log even though the hotfix is installed on the server. In other words, the Event ID 800 user information is the same as before the hotfix is installed. Instead, a message that resembles the following Event ID 7020 message is logged in the Application log after you install the hotfix, and you create the 2 Client Monitoring registry entry.
Event Type: Information Event Source: MSExchangeTransportLogSearch Event Category: Client Monitoring Event ID: 7020 Date: <date> Time: <time> User: N/A Computer: <ComputerName> Description: Client <domain\user> issued the following transport log search request: <?xml version="1.0" encoding="utf-8"?> <LogQuery xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Beginning>0001-01-01T00:00:00Z</Beginning> <End>9999-12-31T22:59:59.9999999Z</End> <Filter xsi:type="And"> <Conditions /> </Filter> </LogQuery> For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
To enable Exchange-related command logging, run the following command:
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\PowerShell\1\PowerShellSnapIns\Microsoft.Exchange.Management.PowerShell.Admin -Name LogpipelineExecutionDetails -value 1After you run the command, you can use Windows Explorer to access the log files that contain the information about who has accessed the message tracking logs.
Article ID: 949722 - Last Review: January 5, 2009 - Revision: 2.1