Exchange Logon Statistics

Hi, I have a employee that swears she did not send and email out.  This was an internal email and we are running exchange 2010.  I have verified from her outlook it was not sent from her pc, and also message tracking in exchange doesnt show a source IP address.  

I tried using Get-LogonStatistics however I am not familiar enough to know how to use this feature to track this.  Can anyone suggest any options I may have to find out who internally sent this message?
diesel1218Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
EEhotlineConnect With a Mentor Commented:
Yes

Get-LogonStatistics -Identity <username> | ft applicationid,logontime,clientversion,lastaccesstime,clientipaddress

*Edit*: if you go to the RPC client access log under Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access it DOES have all of this information. shows correct client IP, cached mode, outlook version etc... It's just in an ugly log file.
0
 
EEhotlineCommented:
She didn't send the email but it said it was sent from her mailbox? Does anyone else have permission to her mailbox?
0
 
diesel1218Author Commented:
No one else has permission but that's why I think someone may know her password and sent it through webmail or something.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
EEhotlineCommented:
You can try these:

Get-LogonStatistics -Identity <username> | ft applicationid,logontime,clientversion,lastaccesstime

The Get-LogonStatistics cmdlet can be useful for doing some basic checks on client logons, but the information returned from the previous command can be a little confusing and might seem inaccurate.

For example, the ClientVersion property returned for each logon will always be reported as the same version number for end-user logons. This is due to the fact that client connections go through the Client Access role in Exchange 2010.

The ApplicationId property will indicate whether clients are connected via RPC or through Outlook Web App. Keep in mind that, depending on the client, multiple connections could be reported.

Client's applications initiate multiple connections, so you will likely notice that this cmdlet will return anywhere from three to five records for each user connected to a mailbox

Hope it will help you a bit,

*Edit*: if someone might know her password, you should try to change her password first.
0
 
diesel1218Author Commented:
Thank you, Is there any way to see IP info?
0
 
diesel1218Author Commented:
Thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.