How can I be notified when an Exchange Server 2007/2010 mailbox is created/removed?

There are a few prerequisites to setup in order to get notified when an Exchange mailbox is created or removed. The instructions below are for Exchange Server 2010, but are very similar for Exchange Server 2007.

1. On the Exchange server, diagnostic logging needs to be setup. Diagnostic logging is configured by navigating to "Microsoft Exchange On-Premises" - "Server Configuration" - "Mailbox". There, click "Manage Diagnostic Logging Properties..." on right "Actions" tab.

2. Under diagnostic logging, locate the MSExchangeAL category, and select the "Account Management" sub category. Set the logging level to High and click "Configure". Please also see: https://www.myeventlog.com/search/show/785.

3. In EventSentry, you will then need to monitor the Exchange server event log "MSExchange Management". All events from diagnostic logging are written to this event log. Since this is a custom log, you will need to configure it in the "Custom Event Logs" tab of the filter dialog (see also: https://www.netikus.net/software/eventsentry/index.html?configcustomeventlogsmonitorin.htm).

1. Since most events are logged with event id "1", events can be filtered based on the content. For mailbox creation and deletion, the following two content filters can be added ("OR" condition):

Cmdlet New-Mailbox
Cmdlet Remove-Mailbox

If more diagnostic logging is setup, then the filter will need to be adapted accordingly, or an additional filter can be created.