move on-premise mailbox

How to use audit logging to find out who deleted items from an Exchange mailbox

Recently I was approached by a senior management staff member claiming that items from his inbox were mysteriously being moved to his deleted items folder. This staff member has 2 PAs managing his mailbox so there was bound to be a reasonable explanation for this. The best way I could find out what was happening here was to turn on audit logging on. This way I could gather proof on who was actually deleting these items. In this article I will run through a couple of simple steps on how to turn on audit logging on a mailbox and then gather information from these logs.

Before we start its important to know that audit logging does consume storage on the server. So beware before turning this on. To ensure that only the necessary logging is gathered you can just enable logging only on the delete action.

Firstly we need to enable the mailbox for audit logging

Turn on Audit LoggingS

get-mailbox “Username” | Set-Mailbox -AuditEnabled:$true

Now that we have enabled auditing, we must now specify what we will be auditing.

Verify mailbox auditing is turned on.

get-mailbox “Username” | fl *audit*

Specify Audit Actions

Now we set an owner and action to audit

Set-Mailbox “Username” – AuditOwner “HardDelete,SoftDelete,MoveToDeletedItems”

To test this I went into this mailbox and deleted a couple of junk emails there were not needed.

Filter information from logs

Now I can go in and run a mailbox audit logging search to see information that has been logged for the entries I have recently deleted.

Search-MailboxAuditLog -Identity “Username” -ShowDetails

The command above displays pages of output so it might be best to filter your results.

Search-MailboxAuditLog -Identity “Username” -ShowDetails | fl operation*,logonuserdisplayname,sourceitemsubject*,sourceitemfolder*

As you can see from the above logs, the last three emails I had deleted are showing.

Now I have seen this in action and comfortable with the results I will leave logging on for a day or so to see what information I can gather.

I mentioned earlier that logging will use up disc space but from what I could gather, when auditing just this one particular mailbox the logging data collected was fairly minimal. I would be very careful if using audit logging company wide and always remember to turn off the logging when you have completed your investigations.

Leave a Reply