How can I tell who deleted a message from a public folder?

Posted on 2004-04-15
Last Modified: 2010-05-18
I am using SBS 2000 running Exchange 2000.

Is there anyway I can track down who deleted a message from a public folder and when?
Question by:candoindy
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3

Accepted Solution

John_Q_Jr earned 500 total points
ID: 10838165
candoindy -

If you have transaction logs that go back as far as when the message was deleted from the Public folder then you will be able to determine who deleted the message. Go to the First Exchange server in the site or the server with the Public Folder and look in the MDBDATA directory and search for a specific string in one of the transaction files. Chances are you delete/overwrite these files periodically and the information is lost.  If you really need to know you can look at old logs from backups  . . . this could take some time unless you have a relative idea of when the message was deleted.

If you do find the string related to the message you will need to do some deciphering.
First the Public folder will be listed in the top portion of the log with a From: "/o=Exchange Organization name/ou=First Administrative group/cn=Configuration/cn=Servers/cn=ServerName/cn=Microsoft Public MDB"

Where Exchange Organization name = this will be the name of exchange 2000 origination
Where servername = this will be the name of server where the item was stored

Then under this will be some logging info then the content will be separated by a dashed line.
Then there will be a bunch of ASCII in which the message contacts will appear and then name of the user account that accessed and deleted the file. There is no specific information/logging related to the deleting of the document  it will just be the last person to access it. I have included a sample below. As you can see an account named JQJR accesses a file with the subject: [Subject] (8) Re:Hi

o8       Ù       Ø       Ù DÀ  M€  UÀ  fÀ  gÀ$ ž€& ¢À‚ 々 瀖 耗 逡 ꀩ î€  ï@  A  #A  ;  Ù       Ù I P M . N o t e  [ Subject]   ( 8 )   R e :   H i> ¡V{   ÿÿÿÿ  ±4 John Q Jr= JQJR ±4 Title   . ±4John Q Jr= JQJR


Author Comment

ID: 10843586
Thank you for your detailed response.

So the best I can do is determine who the last person was that accessed the email in question but I really can't prove that person deleted it.

We have employees deleting orders that come in to a public folder and then claiming they never saw the email so they can get out of the work involved in placing the order. Now I have no problem tracking the original message down once the customer calls in asking where there order is. My problem is I can't go back to the employee with anyhting proving they were the one that deleted it. Oh well.

thanks again

Expert Comment

ID: 10843943
maybe the answer is not in finding out after it was deleted but preventing users from deleting the the messages in the first place. Do they need delete rights? Can you just have users MOVE messages to a deleted Public Folder and then just have a script that runs at a regular frequency to remove the messages?

Expert Comment

ID: 10845152
. . . . also in the future you can audit the Public folders just as you would any other folder resource. I assumed you wanted an answer if this had happened in the past. This will allow you to present positive proof in the future of items being deleted by a user.
If running E2K or E2K3 open ESM, expand the Folder store go to the Public Folders.  right click the folder in question and select properties, go to the Permissions tab. . click on Directory rights….click on the Advanced…. tab, then click on the auditing tab and select the user/group, and object access you want to audit.

Make sure you have enough room in you security log for all the extra logging.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question