Link to home
Start Free TrialLog in
Avatar of William Ramsey
William RamseyFlag for United States of America

asked on

Search Exchange Logs

I am using Exchange 2010 on Windows Server 2008.  I have been asked to prove that an item (two contacts to be exact) was deleted and if possible who deleted it.  My guess is that they deleted it on the user's workstation that they belonged to.  So the who is probably impossible.  But I am trying to narrow down the time frame.  I am guessing there is some kind of log that should store this.  And I am guessing it is the transaction log.  But I am not sure if there is a good way to "read" them and better yet, filter them.  I have checked the security logs in Windows, but they are overwritten.  Or if I am looking in the wrong place, I would really appreciate some help.  Thanks.
ASKER CERTIFIED SOLUTION
Avatar of essaydave
essaydave
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of William Ramsey
William Ramsey
Flag of United States of America image

ASKER

That is an awesome tool!  Unfortunately it looks like the user has already put the contact back which would have altered the Last Modifier name and timestamp.  I am really grateful for this information.  But is there any other place that I might be able to find this information?  I am going to check and see if it is on my backup tomorrow morning or see if he moved it back before the backup.  (I really wish I would have been made aware of this a lot sooner).  Thanks again.
Avatar of William Ramsey
William Ramsey
Flag of United States of America image

ASKER

Awesome info!  I really like the software that you showed me.  Unfortunately my employee had already modified the contact again so that last time and last modifier fields had changed.  I was hoping for more of a log.  But this is better than nothing.  Thanks!