I have been instructed to do a internal investigation and I need to confirm if a user accessed her email account on a specific date/time. Please keep in mind that this was requested after I removed her from our system (3 weeks ago) so there are no log files in the Security Event Viewer because they are set to overwrite as needed. I did the command get-MailboxStatistics (alias) |fl The results came up w/the following (along with a list of other statistics). My question is is this the exact time she accessed her email or is it some sort of transaction log? LastLogoffTime : 9/10/2010 9:58:54 AM LastLogonTime : 9/10/2010 9:58:50 AM

That is the last time that *some account* logged on and off the mailbox.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

You can use mailbox access auditing to do such task, however, it required to configure the settings before the monitoring Understanding Mailbox Access Auditing with Exchange Server 2007 Service Pack 2James Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

I ran the command in Exchange Management Shell and I printed it off as it showed, but I'm wondering if that would stand up in court? Any thoughts? Thank you Ed & James.

If I were a judge, I don't think it would say anything to me.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Besides copying it to my letterhead that was pretty much what I was thinking too. What do you recommend if anything?

I can't say because I don't really know what it is you're trying to prove.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

This was the request; On September 7, 2010, UserA may have utilized UserB's laptop to review emails, etc… and I would like to have the information which reflects (if in fact UserA ever utilized/accessed her email) usage/access by UserA to view her email via UserB's laptop, or any computer Pertinent information would be: Time of day, UserA accessed her email on September 7, 2010 beginning from 1000 hours, up to 2300 hours.

UserA still has user object and associated mailbox in the exchange? You said that you have removed her from systemJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

I did a Remove (from EMC) UserA when I was told to. Then when the request came to me I had to Connect (from EMC - Recipient Configuration- Disconnected Mailbox) her in order to get the information needed. Does that make sense?