Go Premium for a chance to win a PS4. Enter to Win


How can I tell who deleted a message from a public folder?

Posted on 2004-04-15
Medium Priority
Last Modified: 2010-05-18
I am using SBS 2000 running Exchange 2000.

Is there anyway I can track down who deleted a message from a public folder and when?
Question by:candoindy
  • 3

Accepted Solution

John_Q_Jr earned 2000 total points
ID: 10838165
candoindy -

If you have transaction logs that go back as far as when the message was deleted from the Public folder then you will be able to determine who deleted the message. Go to the First Exchange server in the site or the server with the Public Folder and look in the MDBDATA directory and search for a specific string in one of the transaction files. Chances are you delete/overwrite these files periodically and the information is lost.  If you really need to know you can look at old logs from backups  . . . this could take some time unless you have a relative idea of when the message was deleted.

If you do find the string related to the message you will need to do some deciphering.
First the Public folder will be listed in the top portion of the log with a From: "/o=Exchange Organization name/ou=First Administrative group/cn=Configuration/cn=Servers/cn=ServerName/cn=Microsoft Public MDB"

Where Exchange Organization name = this will be the name of exchange 2000 origination
Where servername = this will be the name of server where the item was stored

Then under this will be some logging info then the content will be separated by a dashed line.
Then there will be a bunch of ASCII in which the message contacts will appear and then name of the user account that accessed and deleted the file. There is no specific information/logging related to the deleting of the document  it will just be the last person to access it. I have included a sample below. As you can see an account named JQJR accesses a file with the subject: [Subject] (8) Re:Hi

o8       Ù       Ø       Ù DÀ  M€  UÀ  fÀ  gÀ$ ž€& ¢À‚ 々 瀖 耗 逡 ꀩ î€  ï@  A  #A  ;  Ù       Ù I P M . N o t e  [ Subject]   ( 8 )   R e :   H i     200404140624.i3E6OhNL042848@mailfilter01-domainname.net> ¡V{   ÿÿÿÿ  ±4 John Q Jr= JQJR ±4 Title   . ±4John Q Jr= JQJR


Author Comment

ID: 10843586
Thank you for your detailed response.

So the best I can do is determine who the last person was that accessed the email in question but I really can't prove that person deleted it.

We have employees deleting orders that come in to a public folder and then claiming they never saw the email so they can get out of the work involved in placing the order. Now I have no problem tracking the original message down once the customer calls in asking where there order is. My problem is I can't go back to the employee with anyhting proving they were the one that deleted it. Oh well.

thanks again

Expert Comment

ID: 10843943
maybe the answer is not in finding out after it was deleted but preventing users from deleting the the messages in the first place. Do they need delete rights? Can you just have users MOVE messages to a deleted Public Folder and then just have a script that runs at a regular frequency to remove the messages?

Expert Comment

ID: 10845152
. . . . also in the future you can audit the Public folders just as you would any other folder resource. I assumed you wanted an answer if this had happened in the past. This will allow you to present positive proof in the future of items being deleted by a user.
If running E2K or E2K3 open ESM, expand the Folder store go to the Public Folders.  right click the folder in question and select properties, go to the Permissions tab. . click on Directory rights….click on the Advanced…. tab, then click on the auditing tab and select the user/group, and object access you want to audit.

Make sure you have enough room in you security log for all the extra logging.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question