Announcement

Collapse
No announcement yet.

Circumvent the dumpster?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Circumvent the dumpster?

    We have a user who left the company under unsatisfactory circumstances today.

    Using the following command we tried to retrieve any emails he sent recently, and perhaps he deleted these sent items and purged them out of the "Recover Deleted Items" list as well:

    Code:
    search-mailbox -identity JohnDoe -searchquery 'sent:01/01/2013' -targetmailbox "SupportAdmin" -targetfolder johndoe1 -loglevel full

    John Doe has a Blackberry. We've now remote-wiped that and changed his Windows password.

    When I run the above command against an innocent user's mailbox, I can see the deleted and the purged items just as I expect. But when I run that command against JohnDoe's mailbox, nothing that he's purged can be found. I can see that JohnDoe has sent emails which are no longer in his Sent Items folder or his Deleted Items folder, by using Exchange Message Tracking. Using the Message Tracking tool I can tell who he sent them to, and what date/time but I cannot see the contents of the email, so I thought that I could use the Search-Mailbox command, which works fine on other people's mailboxes, and shows me all the emails that have been deleted, purged, hard-deleted, and removed from the recovery folder - it shows them all just as expected (but not for John Doe).

    How can John Doe have sent emails that appear in the Message Tracking log but cannot be found by the Search-Mailbox command?
    Last edited by PaulH; 31st January 2013, 22:37.
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

  • #2
    Re: Circumvent the dumpster?

    As you suggest, he probably emptied both levels of the recycle bin.

    Do you have a deleted item retention period set?
    Otherwise you will have to think about restoring from backups

    Which Exchange server version, btw?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Circumvent the dumpster?

      Thanks Ossian,

      Sorry I should have said: Exchange 2010 with latest SP and rollups.

      We have a retention period set of 31 days, and I can retrieve emails that other users have triple-deleted from a few days ago, except for this particular user. I thought users could not empty the dumpster and that the Search-Mailbox command would search the dumpster, at least that's the way it is working (well) for other users except this one. I'm unaware of any way to circumvent the dumpster, i.e. for a user to get rid of an email so that even the Search-Mailbox command is unable to find it.
      Best wishes,
      PaulH.
      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

      Comment


      • #4
        Re: Circumvent the dumpster?

        Have you tried a discovery search?
        http://www.exchangeinbox.com/article.aspx?i=148
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Circumvent the dumpster?

          Yes, we have, and emails that appear in the message tracking tool do not appear in the Discovery Search.

          We have confirmed now, and seen with our own eyes, an email he sent yesterday to a certain friendly recipient, and that email appears on the Message Tracking Log but does not appear in either the Discovery Search interface nor when we do a powershell search.

          The Blackberry support team are also investigating if it could have been anything to do with that, but since the emails show up in Message Tracking, I'd suggest that Exchange is (or was) fully aware of the email and to my mind, should have kept it in the dumpster for sysadmin to be able to find.

          Is there a way a user can empty the dumpster?
          Best wishes,
          PaulH.
          MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

          Comment

          Working...
          X