Auditing Deleted Emails

Some of our users log into shared mailboxes via OWA 2013 as delegate users with full access.   We have auditing for Move and MoveToDeletedItems turned on for both owners and delegates.   We have a user who is trying to figure out how a particular email was deleted (to deleted items).   The email came in on April 7th, around 2:50 pm.  We cannot find any MoveToDeletedItems, but can see the Move that the user made when moving the email out of Deleted Items to another folder at 4:30.   

I'm running the following powershell command:

Search-MailboxAuditLog -Identity "GroupMailbox1" -LogonTypes Owner,Delegate -ShowDetails -StartDate "04/06/2015" -EndDate "04/08/2015" | Export-CSV c:\grp1audit.csv

I have done a test from this box, logged in as my own login (not admin), deleted an item and moved it back.  I can see both actions in the audit log using the command above. I've checked the mailbox rules, and there is no rule that I see that would move that email to Deleted Items automatically.  Is there any other way for a user to delete an email to the Deleted Items folder that wouldn't be logged in MoveToDeletedItems?  

April 8th, 2015 3:37pm

Hi,

If a user is configured to bypass mailbox audit logging, then actions taken by that user or account for any mailbox aren't logged.

Bypass a user account from mailbox audit logging

https://technet.microsoft.com/en-us/library/ff461934(v=exchg.150).aspx

Transport rule is the other way I can think of, you can check that.

Best Regards.

Free Windows Admin Tool Kit Click here and download it now
April 9th, 2015 3:34am

Hi Lynn-Li,

I checked our transport rules; we only have one and it does not apply in this case.  I also ran a search for mailboxes with AuditBypassEnabled set to True (Get-MailboxAuditBypassAssociation -ResultSize unlimited | Where-Object {$_.AuditBypassEnabled -eq "True"}) and nothing came back.

To clarify, however, a SoftDelete is only when something is deleted from the "Deleted Items" folder, is that correct?  I think we are going to turn on SoftDelete and HardDelete auditing as well, just in case.

Thanks

April 9th, 2015 12:13pm

Hi,

Yes, SoftDelete means an item is deleted from the Deleted Items folder.

HardDelete means an item is deleted permanently from the Recoverable Items folder.

For more actions can be logged by mailbox audit logging, please refer to this document.

https://technet.microsoft.com/en-us/library/ff459237(v=exchg.150).aspx

Best Regards.

Free Windows Admin Tool Kit Click here and download it now
April 9th, 2015 9:21pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics