Forum Discussion
Mails duplicated - now we having 230k mails in a shared mailbox - New-ComplianceSearchAction sucks
Hi everyone, we have an error like this: Junk email messages multiplying without user actions in Shared Mailboxes - Microsoft Support We removed everyone from the shared mailbox and it also sto...
On top of this - i want to look at the Audit Log of this Shared Mailbox to see if i can identify the user that causes all this but i get no hits back....
This is the audit setting for this mailbox:
AuditEnabled : True
AuditLogAgeLimit : 180.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditOwner : {Update, Move, MoveToDeletedItems, SoftDelete...}
I am global admin and using - what am i doing wrong? Or is it because a shared mailbox has no license?
Search-MailboxAuditLog SMB-sharedmailbox -startdate 07/24/2024 -enddate 07/24/2024 -LogonTypes Owner -ShowDetails
or
search-unifiedauditlog -startdate 07/24/2024 -enddate 07/24/2024 -recordtype 'exchangeitem' -userids 'email address removed for privacy reasons'
Some audit events do not flow to the UAL for unlicensed mailboxes, because Microsoft... I guess you're seeing this in effect.
As for deleting duplicate items, my go to solution is this EWS script: https://github.com/David-Barrett-MS/PowerShell-EWS-Scripts/blob/master/Legacy/Remove-DuplicateItems.ps1
As for deleting duplicate items, my go to solution is this EWS script: https://github.com/David-Barrett-MS/PowerShell-EWS-Scripts/blob/master/Legacy/Remove-DuplicateItems.ps1
- Yes - but i see nothing. I get no hits back whatsoever.
There must be some kind of solution for this. How shall we DFIR if we do not know what was accessed? And troubleshoot issues like this or deletion of mails etc- MS identified the user and we could solve this by removing her