I’ve had some questions from readers asking whether it is possible to tell when a mailbox user has deleted items from their own mailbox. This question seems to come from those very special support situations where an end user is blaming others for email going missing. I guess if the situation is serious enough then some audit trail would certainly be useful for proving who deleted the mailbox items.
I’ve previously covered mailbox audit logging, which is a feature of both Exchange Server 2010 and 2013. In my demonstrations of mailbox audit logging I tend to focus on auditing administrator and delegate actions, which are a more common support scenario in my experience. However, auditing of mailbox owner actions is also possible, it is just not enabled by default.
Before we proceed I’ll just highlight that mailbox audit logging does consume storage on the Exchange server. For admin/delegate situations this is usually a negligible amount, however mailbox owner actions occur much more frequently so they have a greater potential to consume a large amount of storage.
To mitigate that risk I would recommend only enabling mailbox audit logging of mailbox owners for actions that involve deleting email.
So let’s take a look at how this works.
First, the mailbox must be enabled for mailbox audit logging before you can use the audit logs to prove anything.
[PS] C:\>get-mailbox alan.reid | Set-Mailbox -AuditEnabled:$true
Now we can see that auditing is enabled for the mailbox, but no owner actions are being audited.
[PS] C:\>get-mailbox alan.reid | fl *audit* AuditEnabled : True AuditLogAgeLimit : 90.00:00:00 AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create} AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create} AuditOwner : {}
So next we need to configure the owner actions to audit. In this example I’m only configuring delete actions to be audited. If I included other actions such as Create, Move, etc, then a lot of audit logging would be generated as the mailbox owner read and dealt with their emails.
[PS] C:\>Set-Mailbox Alan.Reid -AuditOwner "HardDelete,SoftDelete,MoveToDeletedItems"
After waiting a short period of time I logged in as Alan and made a variety of delete-type actions, such as manually moving an item to the Deleted Items folder, soft deleting an email (so it goes to Deleted Items), and hard deleting an email (Shift+Delete so it skips the Deleted Items folder).
Finally, in the Exchange Management Shell, I can run a mailbox audit logging search of Alan’s mailbox to see the audit log entries for the delete actions I performed.
[PS] C:\>Search-MailboxAuditLog -Identity alan.reid -LogonTypes Owner -StartDate (Get-Date).AddHours(-1) -ShowDetails
You can see I use Get-Date to set the start date to 1 hour ago. Also, when the LogonType is “Owner” we must also use the -ShowDetails switch.
The output of the above command is quite long, so here is a shorter version for the sake of demonstration. In a real world scenario I would recommend looking at the complete output, not this truncated version.
[PS] C:\>Search-MailboxAuditLog -Identity alan.reid -LogonTypes Owner -StartDate (Get-Date).AddHours(-1) -ShowDetails | fl operation*,logonuserdisplayname,sourceitemsubject*,sourceitemfolder* Operation : SoftDelete OperationResult : Succeeded LogonUserDisplayName : Alan Reid SourceItemSubjectsList : I'm sorry I spammed you SourceItemFolderPathNamesList : Inbox Operation : MoveToDeletedItems OperationResult : Succeeded LogonUserDisplayName : Alan Reid SourceItemSubjectsList : Marketing newsletter SourceItemFolderPathNamesList : Inbox Operation : MoveToDeletedItems OperationResult : Succeeded LogonUserDisplayName : Alan Reid SourceItemSubjectsList : Cryptic unearth plaque SourceItemFolderPathNamesList : Inbox
So, you can see the tracking mailbox owner deletes is possible using mailbox audit logging. The important considerations are to enable audit logging first so that it is in place before any support situations arise, and also to limit the auditing only to the actions (such as deletes) that are needed so that the impact to database storage is kept under control.
Hi Paul,
I hope you can help me sort this out…
Exchange 2013 on premises.
I have a couple of sensitive shared mailboxes to monitor and I have enabled auditing on these.
Recently the section chief noticed some messages have been deleted from the inbox of that shared mailbox. In the last 24 hours.
I run the search-mailboxauditlog command, filter on *Delete, and I can find 8 entries. The problems are:
– it’s the section chief, and only him, who has deleted these messages – he confirms it, but he wants to know about other messages
– it’s ONLY soft-deleted messages
I also did the search on the move* Operation, no luck.
I connected directly on the shared mailbox, and I can find the messages he is looking for, in the Recover Deleted Items, at the approximative time he specified – so I assume they were hard-deleted.
But the search is not giving me this information !!!
Here is the command that I have run :
Search-MailboxAuditLog -Identity alias -LogonTypes Delegate,Admin,Owner -StartDate(get-date).addhours(-48) -ShowDetails | Where-Object {$_.Operation -like “*Delete”} | ft FolderPathName,LogonUserDIsplayName,LastAccessed,Operation,SourceItemSubjectsList
Am I doing something wrong ?
Thanks !
Luuke
Hi, This is exactly what Im trying to do. Find who enjoys moving and removing customers emails in a shared mailbox π
using Exchange 2019 CU3. I need to find out who has fun with the team mailbox.
I run the command
Search-MailboxAuditLog -identity BelovedCustomersMailbox -LogonTypes Delegate,Owner -StartDate 01/01/2020 -ShowDetails
That gives me no result. No error, but no result. Just gives me the prompt to the next line.
Audit is enabled on the mailbox with default parameters (90 days log age limite).
Im am a domain admin, enterprise admin, Organization admin, Records management, discovery management, groups members. I think I got enough permissions to get the results π
But nothing.
I can see the Audit folder of the recipient increase each time I try do to something in the mailbox. So, I know logs are recorded somewhere.
Tryed to put the Server in US language and regional settings, rebooted dozen times, same issue.
Is there an issue in Exchange 2019 with Search Audit log ? or do you think this is a local issue in my configuration?
Thx
Hello,
I am having the exact same issue. Search-MailboxAuditLog gives no results at all. I can see the audit log folder too having items. I have all the permissions too and regional is set to US.
No idea what is going on here. The indexing is not corrupted either.
Please help
I’m assuming there’s no way to use this against mail enabled Public Folders in Exchange 2019, correct? Even though Public Folders are now in it’s own Public Folder mailbox. I can’t figure out a way to get this to work.
what can it be that after running the command search-mailboxauditlog -identity -showdetails i get the results and at the end this error “The current server () doesn’t belong to a site.
+ CategoryInfo : ReadError: (:) [Search-MailboxAuditLog], DatabaseLocationUnavailableException…..”
my concern is that the results may not be complete
Hi Paul,
Thanks you so much. i appreciate your efforts.
This post helping me to get deleted logs.
Hi Paul,
I just want ask if there’s a way to view from the admin audit log the emails that was deleted by the admin using the parameter “-SearchQuery”. i was trying to check what are the emails that was deleted on each user mailboxes?
I have enabled audit log for mailbox owner , but just can audit the owner access from OWA , and miss log for access from OUTLOOK client. Why ?
The exchange server version: is Exchange 2010 Version 14.3 (Build 123.4)
my command as below:
#Set-Mailbox -Identity “andy” -AuditOwner Create, SoftDelete, HardDelete, Update, Move, MoveToDeletedItems -AuditEnabled $true
#Search-MailboxAuditLog -ShowDetails -Identity “andy” -LogonTypes owner
#Search-MailboxAuditLog -Identity andy -LogonTypes Owner -StartDate (Get-Date).AddHours(-1) -ShowDetails
RunspaceId : 8eea7f2b-b0d3-48e1-b1aa-ee1e8949864a
Operation : Create
OperationResult : Succeeded
LogonType : Owner
ExternalAccess : False
DestFolderId :
DestFolderPathName :
FolderId : LgAAAADROx4E36ZLT6qOfDq7fAAMAQComlYBhuxuR5PcOAgLwk0nAAAArPCJAAAB
FolderPathName : \test
ClientInfoString : Client=OWA
ClientIPAddress : aa.bb.cc.dd
ClientMachineName :
ClientProcessName :
ClientVersion :
InternalLogonType : Owner
MailboxOwnerUPN : andy@my.com
MailboxOwnerSid : S-1-5-21-72112605-1930193721-1541874228-10995
DestMailboxOwnerUPN :
DestMailboxOwnerSid :
DestMailboxGuid :
CrossMailboxOperation :
LogonUserDisplayName : Andy
LogonUserSid : S-1-5-21-72112605-1930193721-1541874228-10995
SourceItems : {}
SourceFolders : {}
SourceItemIdsList :
SourceItemSubjectsList :
SourceItemFolderPathNamesList :
SourceFolderIdsList :
I couldn’t tell for sure from the description – does this work for a shared mailbox to be able to see specifically which user deleted an item?
You can use mailbox audit logging for that, but it’s not an Owner action if it’s a shared mailbox, it would be a Delegate action.
how we can execute the audit serach for multiple mailboxes. I have enabled audit log for my account and i have not received any results
Hi Paul,
I may not so expert in the systems like you, I have a question for you please, My company received an email from a customer that my employee saw, but later we cannot see that email like it disappeared, and we cannot find it into the deleted emails or in the server log. The customer resent an email with attached the forwarded email for confirmation.
Is there any scenario that this may happen? even rare? the future of an employee is depending on your answer
You can use message tracking log searches to determine whether the email ever arrived in your organization.
You can also use eDiscovery searches to try and find the email if it has been moved elsewhere.
HI,
I tried the exact command in Exchange 2013 and getting the below error. Please could you help. I am not good with Power shell.
[PS] C:Windowssystem32>get-mailbox saura | Set-Mailbox saura -AuditEnabled:$true
The input object cannot be bound to any parameters for the command either because the command does not take pipeline
input or the input and its properties do not match any of the parameters that take pipeline input.
+ CategoryInfo : InvalidArgument: (Saura:PSObject) [Set-Mailbox], ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,Set-Mailbox
+ PSComputerName : contoso.com
Regards,
Saura
The post had an error, which I’ve now fixed, thanks.
Try this:
get-mailbox saura | Set-Mailbox -AuditEnabled:$true
Thank you very much. It worked.
Regards,
Saura
i’d like to audit contact add and deletes, is this possible with this feature?
The audit settings aren’t specific to any item type. They refer to actions. So if you audit deletes, any kind of delete (mail item, contact, folder) should be captured.
For some reason deletions from sent items folder do not seem to show up. What could be causing that?
In my testing of mailbox auditing I am not seeing audit records for moves / deletions of mailbox folders or any of the messages within the folders – seems i can delete a folder full of messages to bypass audit records. Am I missing something? This is on a shared mailbox being accessed as a delegate; AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, Create}
I am getting records for actions if I move or delete say a single message, but not folders, and folder is what I am interested in specifically. Thanks.
Hello Paul,
Hope you doing good.
I am not getting these two info SourceItemSubjectsList and SourceItemFolderPathNamesList in case of Operation : Update. (I am opening email and edit the content )
It doesn’t return anything in it(Blank).
E2k13 CU10 on Win2k12 R2
I used – Search-MailboxAuditLog -Identity nelson -LogonTypes Owner -StartDate (Get-Date).AddHours(-2) -ShowDetails
and
Search-MailboxAuditLog -Identity nelson -LogonTypes Owner -StartDate (Get-Date).AddHours(-2) -ShowDetails | fl operation*,logonuserdisplayname,sourceitemsubject*
Paul, I found this.
http://support.microsoft.com/kb/2701624
It requires a update rollup.
Hello Paul
Thanks for the post.
SourceItemSubjectsList and SourceItemFolderPathNamesList is blank, Am I missing something?
=============================================================================
RunspaceId : c9a04427-73a0-481a-90c8-0ea4d8689f1f
Operation : SoftDelete
OperationResult : Succeeded
LogonType : Owner
ExternalAccess : False
DestFolderId :
DestFolderPathName :
FolderId : LgAAAABu/yty5FbIS69ejw8vFX6FAQByJ9P1CYuLTLP/u3hTiYMZALd2vdYJAAAB
FolderPathName : Drafts
ClientInfoString : Client=MSExchangeRPC
ClientIPAddress : 10.25.11.83
ClientMachineName :
ClientProcessName : OUTLOOK.EXE
ClientVersion : 15.0.4420.1017
InternalLogonType : Owner
MailboxOwnerUPN : xxx
MailboxOwnerSid : S-1-5-21-2946325001-2884011750-3718086917-9160
DestMailboxOwnerUPN :
DestMailboxOwnerSid :
DestMailboxGuid :
CrossMailboxOperation : False
LogonUserDisplayName : xxx
LogonUserSid : S-1-5-21-2946325001-2884011750-3718086917-9160
SourceItems : { RgAAAABu/yty5FbIS69ejw8vFX6FBwByJ9P1CYuLTLP/u3hTiYMZALd2vdYJAABSPNmMpPFHQ6VKjI/c25nWAJ9Mw4
5VAAAA}
SourceFolders : {}
ItemId :
ItemSubject :
DirtyProperties :
OriginatingServer : xxx (14.02.0247.001)
MailboxGuid : 973f079a-b115-4b00-9d22-3570aa1427b0
MailboxResolvedOwnerName : xxx
LastAccessed : 7/27/2014 9:29:22 AM
Identity : RgAAAABu/yty5FbIS69ejw8vFX6FBwA9Tpol1KMDSJNUlYF/BvEGAACZSusnAAA9Tpol1KMDSJNUlYF/BvEGAACZTBtN
AAAJ
IsValid : True
Did you use the commands as demonstrated in the article or run them a different way?