How can I tell who deleted a message from a public folder?

Posted on 2004-04-15
Last Modified: 2010-05-18
I am using SBS 2000 running Exchange 2000.

Is there anyway I can track down who deleted a message from a public folder and when?
Question by:candoindy
  • 3

Accepted Solution

John_Q_Jr earned 500 total points
ID: 10838165
candoindy -

If you have transaction logs that go back as far as when the message was deleted from the Public folder then you will be able to determine who deleted the message. Go to the First Exchange server in the site or the server with the Public Folder and look in the MDBDATA directory and search for a specific string in one of the transaction files. Chances are you delete/overwrite these files periodically and the information is lost.  If you really need to know you can look at old logs from backups  . . . this could take some time unless you have a relative idea of when the message was deleted.

If you do find the string related to the message you will need to do some deciphering.
First the Public folder will be listed in the top portion of the log with a From: "/o=Exchange Organization name/ou=First Administrative group/cn=Configuration/cn=Servers/cn=ServerName/cn=Microsoft Public MDB"

Where Exchange Organization name = this will be the name of exchange 2000 origination
Where servername = this will be the name of server where the item was stored

Then under this will be some logging info then the content will be separated by a dashed line.
Then there will be a bunch of ASCII in which the message contacts will appear and then name of the user account that accessed and deleted the file. There is no specific information/logging related to the deleting of the document  it will just be the last person to access it. I have included a sample below. As you can see an account named JQJR accesses a file with the subject: [Subject] (8) Re:Hi

o8       Ù       Ø       Ù DÀ  M€  UÀ  fÀ  gÀ$ ž€& ¢À‚ 々 瀖 耗 逡 ꀩ î€  ï@  A  #A  ;  Ù       Ù I P M . N o t e  [ Subject]   ( 8 )   R e :   H i> ¡V{   ÿÿÿÿ  ±4 John Q Jr= JQJR ±4 Title   . ±4John Q Jr= JQJR


Author Comment

ID: 10843586
Thank you for your detailed response.

So the best I can do is determine who the last person was that accessed the email in question but I really can't prove that person deleted it.

We have employees deleting orders that come in to a public folder and then claiming they never saw the email so they can get out of the work involved in placing the order. Now I have no problem tracking the original message down once the customer calls in asking where there order is. My problem is I can't go back to the employee with anyhting proving they were the one that deleted it. Oh well.

thanks again

Expert Comment

ID: 10843943
maybe the answer is not in finding out after it was deleted but preventing users from deleting the the messages in the first place. Do they need delete rights? Can you just have users MOVE messages to a deleted Public Folder and then just have a script that runs at a regular frequency to remove the messages?

Expert Comment

ID: 10845152
. . . . also in the future you can audit the Public folders just as you would any other folder resource. I assumed you wanted an answer if this had happened in the past. This will allow you to present positive proof in the future of items being deleted by a user.
If running E2K or E2K3 open ESM, expand the Folder store go to the Public Folders.  right click the folder in question and select properties, go to the Permissions tab. . click on Directory rights….click on the Advanced…. tab, then click on the auditing tab and select the user/group, and object access you want to audit.

Make sure you have enough room in you security log for all the extra logging.

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
exchange 2013 search-mailbox question 7 38
Exchange 2010, Implementing On-Prem Archiving 3 25
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now