I’ve had some questions from readers asking whether it is possible to tell when a mailbox user has deleted items from their own mailbox. This question seems to come from those very special support situations where an end user is blaming others for email going missing. I guess if the situation is serious enough then some audit trail would certainly be useful for proving who deleted the mailbox items.

I’ve previously covered mailbox audit logging, which is a feature of both Exchange Server 2010 and 2013. In my demonstrations of mailbox audit logging I tend to focus on auditing administrator and delegate actions, which are a more common support scenario in my experience. However, auditing of mailbox owner actions is also possible, it is just not enabled by default.

Before we proceed I’ll just highlight that mailbox audit logging does consume storage on the Exchange server. For admin/delegate situations this is usually a negligible amount, however mailbox owner actions occur much more frequently so they have a greater potential to consume a large amount of storage.

To mitigate that risk I would recommend only enabling mailbox audit logging of mailbox owners for actions that involve deleting email.

So let’s take a look at how this works.

First, the mailbox must be enabled for mailbox audit logging before you can use the audit logs to prove anything.

[PS] C:\>get-mailbox alan.reid | Set-Mailbox -AuditEnabled:$true

Now we can see that auditing is enabled for the mailbox, but no owner actions are being audited.

[PS] C:\>get-mailbox alan.reid | fl *audit*

AuditEnabled     : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate    : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner       : {}

So next we need to configure the owner actions to audit. In this example I’m only configuring delete actions to be audited. If I included other actions such as Create, Move, etc, then a lot of audit logging would be generated as the mailbox owner read and dealt with their emails.

[PS] C:\>Set-Mailbox Alan.Reid -AuditOwner "HardDelete,SoftDelete,MoveToDeletedItems"

After waiting a short period of time I logged in as Alan and made a variety of delete-type actions, such as manually moving an item to the Deleted Items folder, soft deleting an email (so it goes to Deleted Items), and hard deleting an email (Shift+Delete so it skips the Deleted Items folder).

Finally, in the Exchange Management Shell, I can run a mailbox audit logging search of Alan’s mailbox to see the audit log entries for the delete actions I performed.

[PS] C:\>Search-MailboxAuditLog -Identity alan.reid -LogonTypes Owner -StartDate (Get-Date).AddHours(-1) -ShowDetails

You can see I use Get-Date to set the start date to 1 hour ago. Also, when the LogonType is “Owner” we must also use the -ShowDetails switch.

The output of the above command is quite long, so here is a shorter version for the sake of demonstration. In a real world scenario I would recommend looking at the complete output, not this truncated version.

[PS] C:\>Search-MailboxAuditLog -Identity alan.reid -LogonTypes Owner -StartDate (Get-Date).AddHours(-1) -ShowDetails | fl operation*,logonuserdisplayname,sourceitemsubject*,sourceitemfolder*

Operation                     : SoftDelete
OperationResult               : Succeeded
LogonUserDisplayName          : Alan Reid
SourceItemSubjectsList        :  I'm sorry I spammed you
SourceItemFolderPathNamesList : Inbox

Operation                     : MoveToDeletedItems
OperationResult               : Succeeded
LogonUserDisplayName          : Alan Reid
SourceItemSubjectsList        :  Marketing newsletter
SourceItemFolderPathNamesList : Inbox

Operation                     : MoveToDeletedItems
OperationResult               : Succeeded
LogonUserDisplayName          : Alan Reid
SourceItemSubjectsList        :  Cryptic unearth plaque
SourceItemFolderPathNamesList : Inbox

So, you can see the tracking mailbox owner deletes is possible using mailbox audit logging. The important considerations are to enable audit logging first so that it is in place before any support situations arise, and also to limit the auditing only to the actions (such as deletes) that are needed so that the impact to database storage is kept under control.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Luuke

    Hi Paul,

    I hope you can help me sort this out…
    Exchange 2013 on premises.
    I have a couple of sensitive shared mailboxes to monitor and I have enabled auditing on these.
    Recently the section chief noticed some messages have been deleted from the inbox of that shared mailbox. In the last 24 hours.
    I run the search-mailboxauditlog command, filter on *Delete, and I can find 8 entries. The problems are:
    – it’s the section chief, and only him, who has deleted these messages – he confirms it, but he wants to know about other messages
    – it’s ONLY soft-deleted messages
    I also did the search on the move* Operation, no luck.
    I connected directly on the shared mailbox, and I can find the messages he is looking for, in the Recover Deleted Items, at the approximative time he specified – so I assume they were hard-deleted.

    But the search is not giving me this information !!!

    Here is the command that I have run :
    Search-MailboxAuditLog -Identity alias -LogonTypes Delegate,Admin,Owner -StartDate(get-date).addhours(-48) -ShowDetails | Where-Object {$_.Operation -like “*Delete”} | ft FolderPathName,LogonUserDIsplayName,LastAccessed,Operation,SourceItemSubjectsList

    Am I doing something wrong ?

    Thanks !

    Luuke

  2. Jacky

    Hi, This is exactly what Im trying to do. Find who enjoys moving and removing customers emails in a shared mailbox 🙂

    using Exchange 2019 CU3. I need to find out who has fun with the team mailbox.
    I run the command

    Search-MailboxAuditLog -identity BelovedCustomersMailbox -LogonTypes Delegate,Owner -StartDate 01/01/2020 -ShowDetails

    That gives me no result. No error, but no result. Just gives me the prompt to the next line.

    Audit is enabled on the mailbox with default parameters (90 days log age limite).
    Im am a domain admin, enterprise admin, Organization admin, Records management, discovery management, groups members. I think I got enough permissions to get the results 🙂
    But nothing.

    I can see the Audit folder of the recipient increase each time I try do to something in the mailbox. So, I know logs are recorded somewhere.

    Tryed to put the Server in US language and regional settings, rebooted dozen times, same issue.

    Is there an issue in Exchange 2019 with Search Audit log ? or do you think this is a local issue in my configuration?

    Thx

    1. David

      Hello,

      I am having the exact same issue. Search-MailboxAuditLog gives no results at all. I can see the audit log folder too having items. I have all the permissions too and regional is set to US.

      No idea what is going on here. The indexing is not corrupted either.
      Please help

  3. Clint

    I’m assuming there’s no way to use this against mail enabled Public Folders in Exchange 2019, correct? Even though Public Folders are now in it’s own Public Folder mailbox. I can’t figure out a way to get this to work.

  4. Rika

    what can it be that after running the command search-mailboxauditlog -identity -showdetails i get the results and at the end this error “The current server () doesn’t belong to a site.
    + CategoryInfo : ReadError: (:) [Search-MailboxAuditLog], DatabaseLocationUnavailableException…..”

    my concern is that the results may not be complete

  5. Nrapendra kumar

    Hi Paul,

    Thanks you so much. i appreciate your efforts.

    This post helping me to get deleted logs.

  6. ian

    Hi Paul,

    I just want ask if there’s a way to view from the admin audit log the emails that was deleted by the admin using the parameter “-SearchQuery”. i was trying to check what are the emails that was deleted on each user mailboxes?

  7. Andy

    I have enabled audit log for mailbox owner , but just can audit the owner access from OWA , and miss log for access from OUTLOOK client. Why ?

    The exchange server version: is Exchange 2010 Version 14.3 (Build 123.4)

    my command as below:
    #Set-Mailbox -Identity “andy” -AuditOwner Create, SoftDelete, HardDelete, Update, Move, MoveToDeletedItems -AuditEnabled $true
    #Search-MailboxAuditLog -ShowDetails -Identity “andy” -LogonTypes owner
    #Search-MailboxAuditLog -Identity andy -LogonTypes Owner -StartDate (Get-Date).AddHours(-1) -ShowDetails

    RunspaceId : 8eea7f2b-b0d3-48e1-b1aa-ee1e8949864a
    Operation : Create
    OperationResult : Succeeded
    LogonType : Owner
    ExternalAccess : False
    DestFolderId :
    DestFolderPathName :
    FolderId : LgAAAADROx4E36ZLT6qOfDq7fAAMAQComlYBhuxuR5PcOAgLwk0nAAAArPCJAAAB
    FolderPathName : \test
    ClientInfoString : Client=OWA
    ClientIPAddress : aa.bb.cc.dd
    ClientMachineName :
    ClientProcessName :
    ClientVersion :
    InternalLogonType : Owner
    MailboxOwnerUPN : andy@my.com
    MailboxOwnerSid : S-1-5-21-72112605-1930193721-1541874228-10995
    DestMailboxOwnerUPN :
    DestMailboxOwnerSid :
    DestMailboxGuid :
    CrossMailboxOperation :
    LogonUserDisplayName : Andy
    LogonUserSid : S-1-5-21-72112605-1930193721-1541874228-10995
    SourceItems : {}
    SourceFolders : {}
    SourceItemIdsList :
    SourceItemSubjectsList :
    SourceItemFolderPathNamesList :
    SourceFolderIdsList :

  8. Tim Jahr

    I couldn’t tell for sure from the description – does this work for a shared mailbox to be able to see specifically which user deleted an item?

    1. Paul Cunningham

      You can use mailbox audit logging for that, but it’s not an Owner action if it’s a shared mailbox, it would be a Delegate action.

  9. sankara

    how we can execute the audit serach for multiple mailboxes. I have enabled audit log for my account and i have not received any results

  10. wajdi

    Hi Paul,

    I may not so expert in the systems like you, I have a question for you please, My company received an email from a customer that my employee saw, but later we cannot see that email like it disappeared, and we cannot find it into the deleted emails or in the server log. The customer resent an email with attached the forwarded email for confirmation.
    Is there any scenario that this may happen? even rare? the future of an employee is depending on your answer

    1. Paul Cunningham

      You can use message tracking log searches to determine whether the email ever arrived in your organization.

      You can also use eDiscovery searches to try and find the email if it has been moved elsewhere.

  11. Saura

    HI,

    I tried the exact command in Exchange 2013 and getting the below error. Please could you help. I am not good with Power shell.

    [PS] C:Windowssystem32>get-mailbox saura | Set-Mailbox saura -AuditEnabled:$true
    The input object cannot be bound to any parameters for the command either because the command does not take pipeline
    input or the input and its properties do not match any of the parameters that take pipeline input.
    + CategoryInfo : InvalidArgument: (Saura:PSObject) [Set-Mailbox], ParameterBindingException
    + FullyQualifiedErrorId : InputObjectNotBound,Set-Mailbox
    + PSComputerName : contoso.com

    Regards,
    Saura

    1. Paul Cunningham

      The post had an error, which I’ve now fixed, thanks.

      Try this:

      get-mailbox saura | Set-Mailbox -AuditEnabled:$true

      1. Saura

        Thank you very much. It worked.

        Regards,
        Saura

  12. nick casagrande

    i’d like to audit contact add and deletes, is this possible with this feature?

    1. Paul Cunningham

      The audit settings aren’t specific to any item type. They refer to actions. So if you audit deletes, any kind of delete (mail item, contact, folder) should be captured.

  13. Rob Wilderman

    For some reason deletions from sent items folder do not seem to show up. What could be causing that?

  14. Jason

    In my testing of mailbox auditing I am not seeing audit records for moves / deletions of mailbox folders or any of the messages within the folders – seems i can delete a folder full of messages to bypass audit records. Am I missing something? This is on a shared mailbox being accessed as a delegate; AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, Create}

    I am getting records for actions if I move or delete say a single message, but not folders, and folder is what I am interested in specifically. Thanks.

  15. Mohammad Azhar

    Hello Paul,

    Hope you doing good.

    I am not getting these two info SourceItemSubjectsList and SourceItemFolderPathNamesList in case of Operation : Update. (I am opening email and edit the content )

    It doesn’t return anything in it(Blank).
    E2k13 CU10 on Win2k12 R2

  16. Nelson

    I used – Search-MailboxAuditLog -Identity nelson -LogonTypes Owner -StartDate (Get-Date).AddHours(-2) -ShowDetails

    and

    Search-MailboxAuditLog -Identity nelson -LogonTypes Owner -StartDate (Get-Date).AddHours(-2) -ShowDetails | fl operation*,logonuserdisplayname,sourceitemsubject*

  17. Nelson

    Hello Paul

    Thanks for the post.

    SourceItemSubjectsList and SourceItemFolderPathNamesList is blank, Am I missing something?
    =============================================================================

    RunspaceId : c9a04427-73a0-481a-90c8-0ea4d8689f1f
    Operation : SoftDelete
    OperationResult : Succeeded
    LogonType : Owner
    ExternalAccess : False
    DestFolderId :
    DestFolderPathName :
    FolderId : LgAAAABu/yty5FbIS69ejw8vFX6FAQByJ9P1CYuLTLP/u3hTiYMZALd2vdYJAAAB
    FolderPathName : Drafts
    ClientInfoString : Client=MSExchangeRPC
    ClientIPAddress : 10.25.11.83
    ClientMachineName :
    ClientProcessName : OUTLOOK.EXE
    ClientVersion : 15.0.4420.1017
    InternalLogonType : Owner
    MailboxOwnerUPN : xxx
    MailboxOwnerSid : S-1-5-21-2946325001-2884011750-3718086917-9160
    DestMailboxOwnerUPN :
    DestMailboxOwnerSid :
    DestMailboxGuid :
    CrossMailboxOperation : False
    LogonUserDisplayName : xxx
    LogonUserSid : S-1-5-21-2946325001-2884011750-3718086917-9160
    SourceItems : { RgAAAABu/yty5FbIS69ejw8vFX6FBwByJ9P1CYuLTLP/u3hTiYMZALd2vdYJAABSPNmMpPFHQ6VKjI/c25nWAJ9Mw4
    5VAAAA}
    SourceFolders : {}
    ItemId :
    ItemSubject :
    DirtyProperties :
    OriginatingServer : xxx (14.02.0247.001)
    MailboxGuid : 973f079a-b115-4b00-9d22-3570aa1427b0
    MailboxResolvedOwnerName : xxx
    LastAccessed : 7/27/2014 9:29:22 AM
    Identity : RgAAAABu/yty5FbIS69ejw8vFX6FBwA9Tpol1KMDSJNUlYF/BvEGAACZSusnAAA9Tpol1KMDSJNUlYF/BvEGAACZTBtN
    AAAJ
    IsValid : True

    1. Paul Cunningham

      Did you use the commands as demonstrated in the article or run them a different way?

Leave a Reply