Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How can I tell who deleted a message from a public folder?

Posted on 2004-04-15
Medium Priority
Last Modified: 2010-05-18
I am using SBS 2000 running Exchange 2000.

Is there anyway I can track down who deleted a message from a public folder and when?
Question by:candoindy
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3

Accepted Solution

John_Q_Jr earned 2000 total points
ID: 10838165
candoindy -

If you have transaction logs that go back as far as when the message was deleted from the Public folder then you will be able to determine who deleted the message. Go to the First Exchange server in the site or the server with the Public Folder and look in the MDBDATA directory and search for a specific string in one of the transaction files. Chances are you delete/overwrite these files periodically and the information is lost.  If you really need to know you can look at old logs from backups  . . . this could take some time unless you have a relative idea of when the message was deleted.

If you do find the string related to the message you will need to do some deciphering.
First the Public folder will be listed in the top portion of the log with a From: "/o=Exchange Organization name/ou=First Administrative group/cn=Configuration/cn=Servers/cn=ServerName/cn=Microsoft Public MDB"

Where Exchange Organization name = this will be the name of exchange 2000 origination
Where servername = this will be the name of server where the item was stored

Then under this will be some logging info then the content will be separated by a dashed line.
Then there will be a bunch of ASCII in which the message contacts will appear and then name of the user account that accessed and deleted the file. There is no specific information/logging related to the deleting of the document  it will just be the last person to access it. I have included a sample below. As you can see an account named JQJR accesses a file with the subject: [Subject] (8) Re:Hi

o8       Ù       Ø       Ù DÀ  M€  UÀ  fÀ  gÀ$ ž€& ¢À‚ 々 瀖 耗 逡 ꀩ î€  ï@  A  #A  ;  Ù       Ù I P M . N o t e  [ Subject]   ( 8 )   R e :   H i> ¡V{   ÿÿÿÿ  ±4 John Q Jr= JQJR ±4 Title   . ±4John Q Jr= JQJR


Author Comment

ID: 10843586
Thank you for your detailed response.

So the best I can do is determine who the last person was that accessed the email in question but I really can't prove that person deleted it.

We have employees deleting orders that come in to a public folder and then claiming they never saw the email so they can get out of the work involved in placing the order. Now I have no problem tracking the original message down once the customer calls in asking where there order is. My problem is I can't go back to the employee with anyhting proving they were the one that deleted it. Oh well.

thanks again

Expert Comment

ID: 10843943
maybe the answer is not in finding out after it was deleted but preventing users from deleting the the messages in the first place. Do they need delete rights? Can you just have users MOVE messages to a deleted Public Folder and then just have a script that runs at a regular frequency to remove the messages?

Expert Comment

ID: 10845152
. . . . also in the future you can audit the Public folders just as you would any other folder resource. I assumed you wanted an answer if this had happened in the past. This will allow you to present positive proof in the future of items being deleted by a user.
If running E2K or E2K3 open ESM, expand the Folder store go to the Public Folders.  right click the folder in question and select properties, go to the Permissions tab. . click on Directory rights….click on the Advanced…. tab, then click on the auditing tab and select the user/group, and object access you want to audit.

Make sure you have enough room in you security log for all the extra logging.

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question