Solved

How can I tell who deleted a message from a public folder?

Posted on 2004-04-15
4
678 Views
Last Modified: 2010-05-18
I am using SBS 2000 running Exchange 2000.

Is there anyway I can track down who deleted a message from a public folder and when?
0
Comment
Question by:candoindy
  • 3
4 Comments
 
LVL 1

Accepted Solution

by:
John_Q_Jr earned 500 total points
ID: 10838165
candoindy -

If you have transaction logs that go back as far as when the message was deleted from the Public folder then you will be able to determine who deleted the message. Go to the First Exchange server in the site or the server with the Public Folder and look in the MDBDATA directory and search for a specific string in one of the transaction files. Chances are you delete/overwrite these files periodically and the information is lost.  If you really need to know you can look at old logs from backups  . . . this could take some time unless you have a relative idea of when the message was deleted.

If you do find the string related to the message you will need to do some deciphering.
First the Public folder will be listed in the top portion of the log with a From: "/o=Exchange Organization name/ou=First Administrative group/cn=Configuration/cn=Servers/cn=ServerName/cn=Microsoft Public MDB"

Where Exchange Organization name = this will be the name of exchange 2000 origination
Where servername = this will be the name of server where the item was stored

Then under this will be some logging info then the content will be separated by a dashed line.
Then there will be a bunch of ASCII in which the message contacts will appear and then name of the user account that accessed and deleted the file. There is no specific information/logging related to the deleting of the document  it will just be the last person to access it. I have included a sample below. As you can see an account named JQJR accesses a file with the subject: [Subject] (8) Re:Hi

o8       Ù       Ø       Ù DÀ  M€  UÀ  fÀ  gÀ$ ž€& ¢À‚ 々 瀖 耗 逡 ꀩ î€  ï@  A  #A  ;  Ù       Ù I P M . N o t e  [ Subject]   ( 8 )   R e :   H i     200404140624.i3E6OhNL042848@mailfilter01-domainname.net> ¡V{   ÿÿÿÿ  ±4 John Q Jr= JQJR ±4 Title   . ±4John Q Jr= JQJR


0
 
LVL 1

Author Comment

by:candoindy
ID: 10843586
Thank you for your detailed response.

So the best I can do is determine who the last person was that accessed the email in question but I really can't prove that person deleted it.

We have employees deleting orders that come in to a public folder and then claiming they never saw the email so they can get out of the work involved in placing the order. Now I have no problem tracking the original message down once the customer calls in asking where there order is. My problem is I can't go back to the employee with anyhting proving they were the one that deleted it. Oh well.

thanks again
0
 
LVL 1

Expert Comment

by:John_Q_Jr
ID: 10843943
maybe the answer is not in finding out after it was deleted but preventing users from deleting the the messages in the first place. Do they need delete rights? Can you just have users MOVE messages to a deleted Public Folder and then just have a script that runs at a regular frequency to remove the messages?
0
 
LVL 1

Expert Comment

by:John_Q_Jr
ID: 10845152
. . . . also in the future you can audit the Public folders just as you would any other folder resource. I assumed you wanted an answer if this had happened in the past. This will allow you to present positive proof in the future of items being deleted by a user.
If running E2K or E2K3 open ESM, expand the Folder store go to the Public Folders.  right click the folder in question and select properties, go to the Permissions tab. . click on Directory rights….click on the Advanced…. tab, then click on the auditing tab and select the user/group, and object access you want to audit.

Make sure you have enough room in you security log for all the extra logging.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now