locked
Tracking email deletion at the exchange 2003 level RRS feed

  • Question

  •   Hello All,

    Looking for advice regarding email deletion logs at the exchange 2003, or if this even is possible.

    Scenario, User complains of emails mysteriously being deleted from outlook. Fires off email to HR that emails are gone. I was able to recover all emails (from backup, journaling, and outlook restore regedit mod). According to domain security logs this user logged onto the domain, then a few minutes later the emails are gone.

    What I am looking for is a way if any to tell if someone is doing this on purpose? At the Workstation level, or at the Exchange Level.

    Windows Standard 2003 DC, and Exchange 2003 SP3 with Outlook 2003

    Thank you in advance for any help.

    Wednesday, June 20, 2012 6:28 PM

Answers

  • No this level of granularity does not exist for 2003. With 2010 you can do mailbox audit logging which can help but nothing for 2003.

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Marked as answer by Gavin-Zhang Sunday, July 8, 2012 2:39 PM
    Wednesday, June 20, 2012 6:48 PM
  • James is of course correct, however;

    1. First question would be does anyone else have access to this users mailbox? here is an interesting article on how PFAdmin might help you with this issue http://www.msexchange.org/tutorials/auditing-mailbox-access-exchange-system-manager-event-viewer.html
    2. Does this user have an ActiveSync enabled account?  if so there may be something going on with the phone so you might try disabling Activesync on that account and see if the issue still occurs
    3. Is it possible that the user is playing games and is purposefully doing a hard delete (Shift+Delete) from their own account and then complaining?  More on how you can recover hard deleted items here http://support.microsoft.com/kb/246153 however this requires that you are logged in as that user and that you know the exact folder they deleted the items from, i.e. they could have done a hard delete in place thinking you would never find them OR they could move and then do a hard delete, so if you want to check this out remotely check out Lucid8's DigiScope http://www.lucid8.com/product/digiscope.asp which will let you connect to the users mailbox in read only mode and all items that have been hard deleted will show up as grey instead of black.

    NOTE: You can get a 30 day DEMO license to check this out for free and you can even create a filter to only show you deleted items which makes the process even easier to use.  BTW version 4.0 is about to be released, we are in final BETA so you may want to contact support and ask for this since there are lots of new goodies in the new version and if you have any issues support will be happy to help you. 

    NOTE 2: The above is just one feature of DigiScope (DS), however the real magic is that DS can open offline Exchange databases 5.5, 2000, 2003, 2007, and 2010 so that you can browse, search, export mailboxes, Folders, Individual Items to PST & MSG or recover items direct from the offline database to ANY production Exchange server, even cross version i.e. 2003--> 2010 etc.




    Troy Werelius
    www.Lucid8.com
    Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline EDB's and Live Exchange Servers with Lucid8's DigiScope

    • Marked as answer by Gavin-Zhang Sunday, July 8, 2012 2:40 PM
    Wednesday, June 20, 2012 8:10 PM

All replies

  • No this level of granularity does not exist for 2003. With 2010 you can do mailbox audit logging which can help but nothing for 2003.

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Marked as answer by Gavin-Zhang Sunday, July 8, 2012 2:39 PM
    Wednesday, June 20, 2012 6:48 PM
  • James is of course correct, however;

    1. First question would be does anyone else have access to this users mailbox? here is an interesting article on how PFAdmin might help you with this issue http://www.msexchange.org/tutorials/auditing-mailbox-access-exchange-system-manager-event-viewer.html
    2. Does this user have an ActiveSync enabled account?  if so there may be something going on with the phone so you might try disabling Activesync on that account and see if the issue still occurs
    3. Is it possible that the user is playing games and is purposefully doing a hard delete (Shift+Delete) from their own account and then complaining?  More on how you can recover hard deleted items here http://support.microsoft.com/kb/246153 however this requires that you are logged in as that user and that you know the exact folder they deleted the items from, i.e. they could have done a hard delete in place thinking you would never find them OR they could move and then do a hard delete, so if you want to check this out remotely check out Lucid8's DigiScope http://www.lucid8.com/product/digiscope.asp which will let you connect to the users mailbox in read only mode and all items that have been hard deleted will show up as grey instead of black.

    NOTE: You can get a 30 day DEMO license to check this out for free and you can even create a filter to only show you deleted items which makes the process even easier to use.  BTW version 4.0 is about to be released, we are in final BETA so you may want to contact support and ask for this since there are lots of new goodies in the new version and if you have any issues support will be happy to help you. 

    NOTE 2: The above is just one feature of DigiScope (DS), however the real magic is that DS can open offline Exchange databases 5.5, 2000, 2003, 2007, and 2010 so that you can browse, search, export mailboxes, Folders, Individual Items to PST & MSG or recover items direct from the offline database to ANY production Exchange server, even cross version i.e. 2003--> 2010 etc.




    Troy Werelius
    www.Lucid8.com
    Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline EDB's and Live Exchange Servers with Lucid8's DigiScope

    • Marked as answer by Gavin-Zhang Sunday, July 8, 2012 2:40 PM
    Wednesday, June 20, 2012 8:10 PM