I’ve had some questions from readers asking whether it is possible to tell when a mailbox user has deleted items from their own mailbox. This question seems to come from those very special support situations where an end user is blaming others for email going missing. I guess if the situation is serious enough then some audit trail would certainly be useful for proving who deleted the mailbox items.
I’ve previously covered mailbox audit logging, which is a feature of both Exchange Server 2010 and 2013. In my demonstrations of mailbox audit logging I tend to focus on auditing administrator and delegate actions, which are a more common support scenario in my experience. However, auditing of mailbox owner actions is also possible, it is just not enabled by default.
Before we proceed I’ll just highlight that mailbox audit logging does consume storage on the Exchange server. For admin/delegate situations this is usually a negligible amount, however mailbox owner actions occur much more frequently so they have a greater potential to consume a large amount of storage.
To mitigate that risk I would recommend only enabling mailbox audit logging of mailbox owners for actions that involve deleting email.
So let’s take a look at how this works.
First, the mailbox must be enabled for mailbox audit logging before you can use the audit logs to prove anything.
[PS] C:\>get-mailbox alan.reid | Set-Mailbox alan.reid -AuditEnabled:$true
Now we can see that auditing is enabled for the mailbox, but no owner actions are being audited.
[PS] C:\>get-mailbox alan.reid | fl *audit*
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner : {}
So next we need to configure the owner actions to audit. In this example I’m only configuring delete actions to be audited. If I included other actions such as Create, Move, etc, then a lot of audit logging would be generated as the mailbox owner read and dealt with their emails.
[PS] C:\>Set-Mailbox Alan.Reid -AuditOwner "HardDelete,SoftDelete,MoveToDeletedItems"
After waiting a short period of time I logged in as Alan and made a variety of delete-type actions, such as manually moving an item to the Deleted Items folder, soft deleting an email (so it goes to Deleted Items), and hard deleting an email (Shift+Delete so it skips the Deleted Items folder).
Finally, in the Exchange Management Shell, I can run a mailbox audit logging search of Alan’s mailbox to see the audit log entries for the delete actions I performed.
[PS] C:\>Search-MailboxAuditLog -Identity alan.reid -LogonTypes Owner -StartDate (Get-Date).AddHours(-1) -ShowDetails
You can see I use Get-Date to set the start date to 1 hour ago. Also, when the LogonType is “Owner” we must also use the -ShowDetails switch.
The output of the above command is quite long, so here is a shorter version for the sake of demonstration. In a real world scenario I would recommend looking at the complete output, not this truncated version.
[PS] C:\>Search-MailboxAuditLog -Identity alan.reid -LogonTypes Owner -StartDate (Get-Date).AddHours(-1) -ShowDetails | fl operation*,logonuserdisplayname,sourceitemsubject*,sourceitemfolder* Operation : SoftDelete OperationResult : Succeeded LogonUserDisplayName : Alan Reid SourceItemSubjectsList : I'm sorry I spammed you SourceItemFolderPathNamesList : Inbox Operation : MoveToDeletedItems OperationResult : Succeeded LogonUserDisplayName : Alan Reid SourceItemSubjectsList : Marketing newsletter SourceItemFolderPathNamesList : Inbox Operation : MoveToDeletedItems OperationResult : Succeeded LogonUserDisplayName : Alan Reid SourceItemSubjectsList : Cryptic unearth plaque SourceItemFolderPathNamesList : Inbox
So, you can see the tracking mailbox owner deletes is possible using mailbox audit logging. The important considerations are to enable audit logging first so that it is in place before any support situations arise, and also to limit the auditing only to the actions (such as deletes) that are needed so that the impact to database storage is kept under control.
This article Tracking Mailbox Owner Deletes Using Mailbox Audit Logging is © 2014 ExchangeServerPro.com
Get more Exchange Server tips at ExchangeServerPro.com
