SOLVED

Trying to recover lost emails for one user.

Brass Contributor

Essentials.  I have a user that somehow has lost exactly, to the day, 1 year of emails from his inbox, just his inbox.  I have looked at the deepcache settings and OWA.  Same thing.  I looked through other folders, they are not to be found.

 

So, via the Security and Compliance center I have done a recover of that year. It seemed to work well and in fact generated a 5Gb .pst file.  I have tried both opening that .pst file in Outlook and doing an import into a folder in his mailbox.  The recover will run for over an hour, with it going through folder after folder and then finish.

 

I go into the folder that I imported them, or go into the mailbox itself that I opened and all I have is a huge amount of nested folders and very few messages.  I cannot figure out what is taking up 5Gb and what takes so long to do the import.  The import is the same as the folder structure in the open mailbox.

 

Has anybody done a recovery like this with success? Or, has anybody seen email just disappear this way?  Yes, as soon as I saw it missing I went to the OWA interface and it was missing there as well.  So deleting the .OST file and letting it rebuild just ended up with it being the same.

 

Any advice appreciated

3 Replies

@BoxOfFrogs 

 

This is the list of folders I end up with after the import.  I can locate a couple of inbox folders within them, but there might be 2-3 messages in each.  Keep in mind this is a years worth of recovery and a 5Gb file.

 

List of folders.jpg

best response confirmed by BoxOfFrogs (Brass Contributor)
Solution

How exactly did he "lose" the items? If it's exactly 1year, perhaps he applied a retention tag to the Inbox folder? If so, check what the retention action was, as items might either be deleted or moved to the archive mailbox.

 

The recovery steps will depend on the action above - if the messages were deleted, you should be able to simply go to the dumpster and mass recover them, or use PowerShell: https://blogs.technet.microsoft.com/recoverableitemscmdlet/2018/01/08/45/

 

If they were archived, moving them back is a bit more complicated as we dont have built-in tools. In general an EWS-based script could do it, or you can just use the eDiscovery process. I strongly advise you limit the search to just the Inbox folder, but if that's not possible you can just ignore the ApplicationDataRoot, CalendarSharingCacheCollection and SubstrateFiles containers - those do not contain any user-accessible items (although they are the ones contributing most to the size of the PST).

 

 

@Vasil Michev Thank you.  Well, I think I was looking at this the wrong way and trying to recover things to the Inbox.  When I went to the Recover Deleted Items (Dumpster in your words, they should have named it that)  I found what I think the user wants but can't confirm until he is back after the weekend.  

 

In other words I think, and hope, the email was deleted by him, and then the deleted folder emptied.  However I don't know why it was emptied, this user would not even be aware you can do that.  Anyway, I am currently recovering everything in the dumpster to the deleted folder and will then just move the lot into the Inbox and have him sort out what he needs/wants.  I suspect he is somebody using the Deleted folder as a place to store stuff against everything I advise them to do.

 

There seems to be no retention policies set on his folders.  I have not set up any global ones and don't know what the default, if any, is in 365.  Interestingly the only option regarding this on all the top level folders (inbox, sent, deleted, etc.) are all "from parent file" .  Any folders below those have the usual options.  I assume the parent of those would be the mailbox, but I see nothing there.  He does not have the "empty deleted folder upon exit" checked off.

 

Bottom line I'm sure this is some kind of user error that caused it but I'm not sure what he did.  I would like to point is out so it doesn't happen again.

 

 

 

 

1 best response

Accepted Solutions
best response confirmed by BoxOfFrogs (Brass Contributor)
Solution

How exactly did he "lose" the items? If it's exactly 1year, perhaps he applied a retention tag to the Inbox folder? If so, check what the retention action was, as items might either be deleted or moved to the archive mailbox.

 

The recovery steps will depend on the action above - if the messages were deleted, you should be able to simply go to the dumpster and mass recover them, or use PowerShell: https://blogs.technet.microsoft.com/recoverableitemscmdlet/2018/01/08/45/

 

If they were archived, moving them back is a bit more complicated as we dont have built-in tools. In general an EWS-based script could do it, or you can just use the eDiscovery process. I strongly advise you limit the search to just the Inbox folder, but if that's not possible you can just ignore the ApplicationDataRoot, CalendarSharingCacheCollection and SubstrateFiles containers - those do not contain any user-accessible items (although they are the ones contributing most to the size of the PST).

 

 

View solution in original post