Re: Exchange auditing
Just a note on shared mailboxes, if someone has deleted the emails in question, then the deleted emails will show in their Outlooks deleted items folder, not the deleted items folder of the shared mailbox. On Mon, Dec 15, 2008 at 10:29 AM, cs chr...@gmail.com wrote: Firstly apologies for the long post. I have a user ranting on about a bunch of e-mail that mysteriously disappeared from a shared mailbox. Naturally, I've been summoned to investigate. At this stage of my analysis I can't rule out the possibility that one of 3 users have inadvertently moved the missing e-mail from the mailbox into a PST file (albeit either manually or automatically via Outlook 2003's AutoArchive). I've tried using Outlook's Deleted Item Recovery add-in to find out if the e-mail was deleted but suffice there is nothing available to recover (which makes me think that the content was moved not deleted). Before I trawl through any PST filess located on each user PC I was wondering if there is any way to query Exchange to determine what specific actions were taken around the specific point in time prior to the e-mail disappearing, i.e. if e-mail A is moved from a mailbox to a PST, is the specific move transaction logged on the server somewhere? Also, does Outlook 2003's AutoArchive contain any client/server side logging functionality? Ultimately I can restore a mailstore backup to a recovery storage group to retrieve the missing e-mail, but I've been specifically asked by management to tell them why and how the content was originally moved/deleted. Environment is Exchange 2003, native mode AD Hope that makes some degree of sense. Thanks in advance for any help/pointers. -- Sherry Abercrombie Any sufficiently advanced technology is indistinguishable from magic. Arthur C. Clarke ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Exchange auditing
If the mail was moved, it *should* be available via deleted item recovery. The server has to do a copy operation to the pst, then does a delete operation on the messages in the original location. I've used this before to recover when someone had archived all their mail to a pst and deleted it, but then found the pst was corrupted when they took it home. So, if they were moved from the inbox to a pst, you have to enable the DumpsterAlwaysON reg key to recover deleted items from any mailbox, but messages should then be available to restore. -Bonnie From: cs [mailto:chr...@gmail.com] Sent: Monday, December 15, 2008 8:30 AM To: NT System Admin Issues Subject: Exchange auditing Firstly apologies for the long post. I have a user ranting on about a bunch of e-mail that mysteriously disappeared from a shared mailbox. Naturally, I've been summoned to investigate. At this stage of my analysis I can't rule out the possibility that one of 3 users have inadvertently moved the missing e-mail from the mailbox into a PST file (albeit either manually or automatically via Outlook 2003's AutoArchive). I've tried using Outlook's Deleted Item Recovery add-in to find out if the e-mail was deleted but suffice there is nothing available to recover (which makes me think that the content was moved not deleted). Before I trawl through any PST filess located on each user PC I was wondering if there is any way to query Exchange to determine what specific actions were taken around the specific point in time prior to the e-mail disappearing, i.e. if e-mail A is moved from a mailbox to a PST, is the specific move transaction logged on the server somewhere? Also, does Outlook 2003's AutoArchive contain any client/server side logging functionality? Ultimately I can restore a mailstore backup to a recovery storage group to retrieve the missing e-mail, but I've been specifically asked by management to tell them why and how the content was originally moved/deleted. Environment is Exchange 2003, native mode AD Hope that makes some degree of sense. Thanks in advance for any help/pointers. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Exchange auditing
Ah - good point. I haven't checked each individual's deleted items folder yet. I'll have a look. On Mon, Dec 15, 2008 at 4:35 PM, Sherry Abercrombie saber...@gmail.comwrote: Just a note on shared mailboxes, if someone has deleted the emails in question, then the deleted emails will show in their Outlooks deleted items folder, not the deleted items folder of the shared mailbox. On Mon, Dec 15, 2008 at 10:29 AM, cs chr...@gmail.com wrote: Firstly apologies for the long post. I have a user ranting on about a bunch of e-mail that mysteriously disappeared from a shared mailbox. Naturally, I've been summoned to investigate. At this stage of my analysis I can't rule out the possibility that one of 3 users have inadvertently moved the missing e-mail from the mailbox into a PST file (albeit either manually or automatically via Outlook 2003's AutoArchive). I've tried using Outlook's Deleted Item Recovery add-in to find out if the e-mail was deleted but suffice there is nothing available to recover (which makes me think that the content was moved not deleted). Before I trawl through any PST filess located on each user PC I was wondering if there is any way to query Exchange to determine what specific actions were taken around the specific point in time prior to the e-mail disappearing, i.e. if e-mail A is moved from a mailbox to a PST, is the specific move transaction logged on the server somewhere? Also, does Outlook 2003's AutoArchive contain any client/server side logging functionality? Ultimately I can restore a mailstore backup to a recovery storage group to retrieve the missing e-mail, but I've been specifically asked by management to tell them why and how the content was originally moved/deleted. Environment is Exchange 2003, native mode AD Hope that makes some degree of sense. Thanks in advance for any help/pointers. -- Sherry Abercrombie Any sufficiently advanced technology is indistinguishable from magic. Arthur C. Clarke ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Exchange auditing
Thanks all for the responses received. After interrogating each user to the nth degree it turned out one of them had moved the missing content to his own mailbox without telling the others. Idiot. Via the MS exchange newsgroup I also found an answer to my query about using Exchange logs to audit mailbox transactions at an item level; Response from MS; *There's no item-level auditing in Exchange (for items in a user mailbox). Journaling is an option, as are archiving tools from partners.* Cue Homer Simpson d'oh!! Guess it's time we splash some cash on an enterprise grade e-mail archiving solution. Death to PSTs!! Woohoo!! M doughnuts On Mon, Dec 15, 2008 at 4:52 PM, cs chr...@gmail.com wrote: Ah - good point. I haven't checked each individual's deleted items folder yet. I'll have a look. On Mon, Dec 15, 2008 at 4:35 PM, Sherry Abercrombie saber...@gmail.comwrote: Just a note on shared mailboxes, if someone has deleted the emails in question, then the deleted emails will show in their Outlooks deleted items folder, not the deleted items folder of the shared mailbox. On Mon, Dec 15, 2008 at 10:29 AM, cs chr...@gmail.com wrote: Firstly apologies for the long post. I have a user ranting on about a bunch of e-mail that mysteriously disappeared from a shared mailbox. Naturally, I've been summoned to investigate. At this stage of my analysis I can't rule out the possibility that one of 3 users have inadvertently moved the missing e-mail from the mailbox into a PST file (albeit either manually or automatically via Outlook 2003's AutoArchive). I've tried using Outlook's Deleted Item Recovery add-in to find out if the e-mail was deleted but suffice there is nothing available to recover (which makes me think that the content was moved not deleted). Before I trawl through any PST filess located on each user PC I was wondering if there is any way to query Exchange to determine what specific actions were taken around the specific point in time prior to the e-mail disappearing, i.e. if e-mail A is moved from a mailbox to a PST, is the specific move transaction logged on the server somewhere? Also, does Outlook 2003's AutoArchive contain any client/server side logging functionality? Ultimately I can restore a mailstore backup to a recovery storage group to retrieve the missing e-mail, but I've been specifically asked by management to tell them why and how the content was originally moved/deleted. Environment is Exchange 2003, native mode AD Hope that makes some degree of sense. Thanks in advance for any help/pointers. -- Sherry Abercrombie Any sufficiently advanced technology is indistinguishable from magic. Arthur C. Clarke ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~