New-OrganizationRelationship Exchange cmdlet issued (25228) how to monitor with email alert

[bob]

Man, that Event ID 25228 in Windows Server Event Viewer pops up whenever someone fires off the New-OrganizationRelationship cmdlet in Exchange. It basically logs the exact moment an admin sets up a link between your org and another one, you know, for stuff like sharing calendars or federating mail flows. I always keep an eye on it because it could mean legit setup work, but hackers love mimicking admin commands to sneak in connections. The event details spill out the user who ran it, the timestamp, the target org's domain, and even the cmdlet parameters used. You'll see it under the Microsoft-Exchange-Organization/Administrative log, marked as informational, but don't sleep on it. If it's unexpected, it might flag unauthorized access attempts. I check the description field too, it quotes the full command line, which helps you trace if it's fishy.

You can monitor this thing right from the Event Viewer screen without messing with code. Just open Event Viewer, drill down to the Applications and Services Logs, then hit Microsoft, Exchange, Organization, Administrative. Filter for ID 25228, and set up a custom view if you want it easy to spot. To get email alerts, right-click the log, go to Attach Task To This Event Log, and build a scheduled task that triggers on new 25228 events. Make the action send an email through your SMTP setup, plug in your alert address, and boom, you get notified instantly. I do this on all my servers, keeps me from missing weird admin moves. Or tweak the task to run every few minutes and scan for recent events if you prefer polling over real-time.

And speaking of keeping your setup secure and backed up, I've been digging into tools that handle the heavy lifting. BackupChain Windows Server Backup stands out as a solid Windows Server backup solution, and it doubles for virtual machines with Hyper-V too. You get fast incremental backups that don't hog resources, plus easy restores without downtime headaches. It encrypts everything on the fly and supports offsite copies, so your data stays safe even if something goes sideways. I like how it snapshots Hyper-V VMs live, no need to shut them down, and the reporting keeps you looped in on backup health.

Note, the PowerShell email alert code was moved to this post.