alphaspirit - Fotolia
I have a question regarding Exchange and archived/deleted emails. Is there a way to track an email item that moved from a central mailbox to a PST file? I'm struggling to find an event log and am using the tracking tool on Exchange 2007.
There's a feature in Exchange 2007 SP3, Mailbox Access Auditing, which appears to be the answer. And while this feature can audit folder and message access, it won't specifically audit message moves or deletions. But there may be a roundabout way to do this in Exchange 2007. What you really need to know is what happens to email items in an end user's mailbox when they move to a PST file.
When items move to a PST file, they're actually copied in the PST and then the mailbox deletes the messages. If deleted item retention is enabled for the Exchange 2007 mailbox (seven days by default), Exchange will keep a copy of the "deleted/moved" item the move created to the PST. Most end users don't move items from their deleted items folder to their PST files, so Outlook clients must have the DumpsterAlwaysOn registry key set to "1" to see and recover deleted items from any folder in the mailbox. Outlook 2007 and higher sets this by default; Outlook 2003 or earlier will need to have this setting configured prior to recovery.
Following this logic, it would seem possible to track when a message moves to a PST file by monitoring the activity in the mailbox's dumpster. But just like dumpster diving in real life, you'll find a lot of other stuff you weren't looking for. It would be difficult to identify what was deleted versus what moved to a PST.
Instead of trying to track messages with an event log, consider cross-mailbox searching, also known as "E-discovery." For this, you need a keyword or other search criteria. If you have criteria to search, use the
export-mailbox Exchange 2007 cmdlet, which can export items from anywhere in the mailbox (including the dumpster) to a PST for review. If you need to search the mailbox further than seven days back, you can change the deleted item retention setting on the mailbox.
But keep in mind there will be additional features for you to use when you upgrade to Exchange 2010 or Exchange 2013. For example, you could enable litigation hold in Exchange 2010 and In-Place Hold in Exchange 2013 to indefinitely hold deleted items. You can issue a
Search-Mailbox cmdlet in Exchange 2010, which has a
–SearchDumpsterOnly parameter. You could do an in-place search via the Exchange Admin Center in Exchange 2013. Perhaps most applicable to your question, both Exchange 2010 and Exchange 2013 have a more evolved form of auditing mailboxes called Mailbox Auditing that can actually audit items being moved to other folders.
At the root of your question, I suspect you have compliance issues related to sensitive information being moved and archived to PST files, likely due to how distributed PST files tend to be the most difficult to perform e-discovery on. Exchange 2010 and later versions offer an option to fix this problem with the choice of using Personal Archives in Exchange 2010 or In-Place Archives in Exchange 2013 to store information in Exchange databases. You can import existing PST files using the
New-MailboxImportRequest cmdlet to eliminate them as a compliance issue, and you can set a Group Policy on your Outlook clients to prevent the creation of new PST files.
About the author:
Richard Luckett is a consultant and instructor specializing in messaging and unified communications. He's been a certified professional with Microsoft since 1996 and has 20 years of experience in the public and private sectors. He's a Microsoft Certified Trainer with more than 15 years of training experience with the Microsoft product line and received the Exchange MVP award in 2006, 2007 and 2008. He's also an expert in deploying and integrating Exchange Server and Lync Server. He leads the Microsoft training and consulting practice at LITSG.
Dig Deeper on Exchange Server setup and troubleshooting
Related Q&A from Richard Luckett
Some folders in a mailbox on Exchange Server 2013 are not showing up on the folder list in the OWA virtual directory but do appear in other views. Continue Reading
We have a Client Access Server and Mailbox Server on Exchange 2013 and we want to install an Edge Transport role on another machine. I joined the ... Continue Reading
How can I enable Outlook Anywhere to allow internal use for all users and external use for only some users in Exchange 2013? Continue Reading