I just had an incident, where items got deleted. Of course, the affected person was a VIP and so I had to investigate the incident with high priority.
The first issue was that items vanished from a shared mailbox. One day later items in the mailbox of the assistant also disappeared.
Due to all the issues in the past with mobile devices (and I knew they were using a lot of mobile devices), my first thought was those might caused the issue.
The challenge was not to get the items back (thanks to Single Item Recovery!). It was more to clearly identify the client, which deleted the items.
Thank Exchange PG for the CmdLet Get-DatabasEvent!
To get more details about this I really encourage you to read this article Adventures in querying the EventHistory table, which goes into all the details.
In my case I decided to look into those events, just to make sure we don’t have another issue with mobile devices.
First I collected the events and exported those into a CSV file:
Add-PSSnapin Microsoft.Exchange.Management.Powershell.Support Get-Mailbox firstname.lastname@example.org | select ExchangeGUID $dbevents=Get-DatabaseEvent -MailboxGuid d5cfefb4-1a42-4a2d-9524-21a0074df42c -Server ex01.contoso.local -ResultSize unlimited | sort CreateTime $dbevents | Export-Csv -NoTypeInformation -Path C:\Temp\dbdata.csv
Now I had all the data from the database. As the items has been deleted from the folder Inbox only, I needed to know the HexEntryID of this folder. Therefore I reused one of my scripts:
.\Get-MailboxFolderPermissionEWS.PS1 -EmailAddress email@example.com | ? FolderPath -EQ '\Inbox'
Note: Keep in mind that you either need FullAccess to the mailbox or ApplicationImpersonation permissions!
This example shows the output:
As the HexEntryID is the value of the ItemEntryID we now can easy filter the column for this value
At one point in time I could see that a lot of items got moved. I just had to look at the ClientCategory column
The ClientCategory was MOMT! All of the items have been deleted by an Outlook client.
In this case no mobile device was involved. But I thought this would be a good example to show how to trace such an issue.
By the way: The RC was a new device with touch screen and maybe some sticky fingers….
I hope this will help some of you!