Auditing Extreme Public Folder Deletion

A quick and easy call this morning. We have a customer who has had around 80GB of public folders deleted mysteriously. The change has been replicated round, but they have restored the data and would like to know how it happened, and if there is any way of auditing events that happened in the past. The short answer is no.
Public folders exist within the exchange database, not active directory, so there is no way of tracking it via AD tools. A quick troll through the MS partner forums confirms that there is no other way t ofind this information other than following the procedures below.
It is possible to turn auditing on for exchange 2003 sp2 and later, by adjusting the diagnostic logging for the msexchangeis/public folder/general object to medium. this will produce a 9682 information event in the application event log that looks like this:
9682 info event
In Exchange 2007 sp1 you need to use the shell, and the following command:

set-eventloglevel “msexchangeis/9001 public/general” -level medium.

in sp2 it is possible to use “set diagnostic logging” in the action pane if you select the server object. This also works for Exchange 2010.

diagnostic logging option ex2k10

Once you have the logging enabled you can trawl the event logs using a script from the blog post here:
So what caused it? don’t know. my money would be on a user, but it might also be a policy, although the customer says not, or a third party tool that’s been mis-set.

Checking the permissions on the folders would be a good place to start – anyone with owner permission could delete the folder.

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: