Link to home
Start Free TrialLog in
Avatar of First Last
First LastFlag for United States of America

asked on

Tracking who deleted an email - Exchange 2010

I have a request from my manager to find out which staff member deleted a particular email from a shared mailbox.  Everyone in this department shares a mailbox which is setup along side their regular Outlook 2003 accounts.  Someone deleted an email from the shared mailbox but I'm having a hard time figuring out which member of the group did it.  

What would be the best way of finding out who actually deleted the email?
Avatar of Mustafa L. McLinn
Mustafa L. McLinn
Flag of United States of America image

You needed to turn Journaling on for the email.
Avatar of skullnobrains
skullnobrains

look at your log. if they login through different accounts, it will be easy to tell. if not, and if the log verbosity is high enough you may be able to track back the connection id and the originating ip
Avatar of First Last

ASKER

Can you go into more detail about that?  There is no way to track deleted items without journaling being enabled?  I do in fact have it turned on but its to archive emails to GFI.
@skullnobrains - What log would I examine and where can I find it?
This is outlook 2003?

Was the mailbox shared as an additional mailbox?

Just go to the Users, or open their outlook profiles on a seperate machine
Have a look in their delete Items, or their recover deleted items

The email in question should show in the culprits deleted items
Ok, I found the auditing tools and exported a report but it simply returns an XML file with these contents:


<?xml version="1.0" encoding="UTF-8"?>
<SearchResults/>

Does this indicate I do not have the correct level of auditing enabled?
You need to turn on auditing to do this, not journaling.  If auditing is not on you will not know which user deleted the mail.
ASKER CERTIFIED SOLUTION
Avatar of Amit
Amit
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Got it, I read the same article just as you linked it.  I need to turn this on, I hadn't before.  Thank you everyone!
Start the Exchange System Manager tool.
Expand Administrative Groups, expand your administrative group, expand Servers, right-click your server, and then click Properties.

you'll find your log settings there.

either the information is available in the log, or it is lost. logging does not occur retroactively so changing log verbosity will not help for the current problem. but it can help for future ones.
Not sure if I agree that, that is the answer

Going forward, yes, once its turned on and used

But in your current quesion above it doesnt answer your question

Any user who deletes a Mail items from a shared mailbox, in outlook 2003 it will show in their deleted items.

If its to be found in deleted itmes, or recover deleted items
Checking the suspected users deleted items, will tell you who deleted it.
Ok if you really want indepth tracking, then look for this software. Paid one, but works really well.

http://www.quest.com/changeauditor-for-exchange/
I should have elaborated.  The user has since purged his deleted emails and it was a while back prior to the exchange 2010 upgrade so there is nothing there to recover.
Ah okay

Cheers for the clarification
sorry to revive this thread,, I Got the same request, I turned on auditing for the shared box about an hour ago but there is no data to view, does it take time? should i run the managed folder assistant on this box?