Shared mailbox messages going to recoverable deleted items

%3CLINGO-SUB%20id%3D%22lingo-sub-835529%22%20slang%3D%22en-US%22%3EShared%20mailbox%20messages%20going%20to%20recoverable%20deleted%20items%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-835529%22%20slang%3D%22en-US%22%3E%3CP%3EHi!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETrying%20to%20solve%20an%20issue%20that's%20plagued%20me%20for%20a%20couple%20weeks.%20We%20have%20a%20shared%20mailbox%20hosted%20in%20Exchange%20Online%20that%20receives%20customer%20orders.%20We're%20discovering%20that%20many%20orders%20are%20somehow%20landing%20in%20the%20recoverable%20items%20section%20of%20deleted%20items%20and%20we've%20yet%20to%20find%20a%20root%20cause.%20Things%20I've%20tried%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Disable%2C%20then%20deleted%2C%20all%20mailbox-level%20rules%20on%20the%20shared%20mailbox.%3C%2FP%3E%3CP%3E2.%20Tried%20to%20get%20audit%20logs%20from%20protection.office.com%20-%20no%20results%20available.%3C%2FP%3E%3CP%3E3.%20Eventually%20stumbled%20on%20this%20article%20which%20lets%20me%20export%20logs%20to%20a%20CSV.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4021960%2Fhow-to-use-mailbox-audit-logs-in-office-365%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4021960%2Fhow-to-use-mailbox-audit-logs-in-office-365%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EHowever%20the%20logs%20are%20somewhat%20inconclusive.%20I%20see%20some%20actions%20like%20%22SoftDelete%22%20from%20users%20(which%20I%20think%20would%20not%20move%20the%20email%20to%20recoverable%20deleted%20items).%20I%20also%20see%20%22MoveToDeletedItems%22%20and%20%22HardDelete%22.%20However%20there's%20only%20a%20handful%20of%20hard%20deletes%20-%20not%20enough%20to%20account%20for%20the%20hundreds%20of%20emails%20showing%20in%20recoverable%20deleted%20items.%3C%2FP%3E%3CP%3E4.%20Reset%20all%20users%20passwords.%3C%2FP%3E%3CP%3E5.%20Had%20their%20supervisor%20remind%20them%20no%20emails%20should%20be%20deleted%2C%20only%20moved%20to%20a%20folder%20called%20%22Completed%22.%20Multiple%20users%20insist%20they%20understand%20this%20protocol%20and%20are%20following%20it.%3C%2FP%3E%3CP%3E6.%20Checked%20several%20suspect%20users%20in%20the%20audit%20log%20for%20Outlook%20issues%2C%20rules%2C%20ignore%2C%20or%20other%20reasons%20that%20might%20be%20causing%20it.%20Rebuilt%20a%20suspect%20user's%20Outlook%20profile.%3C%2FP%3E%3CP%3E7.%20Ran%20Get-InboxRule%20to%20see%20if%20there%20were%20any%20additional%20rules%3C%2FP%3E%3CP%3E8.%20Ran%26nbsp%3Boutlook.exe%20%2Fcleanconvongoingactions%20to%20remove%20any%20ignores%3C%2FP%3E%3CP%3E9.%20Remove%20all%20mailbox%20permissions%20except%20for%20system%20ones%20(e.g.%20NT%20Authority%5CSELF%2C%20NAMPRD02%5CExchange%20Users%2C%20etc.).%20Re-add%20to%20try%20to%20identify%20which%20users%20are%20causing%20deletes.%20As%20we've%20slowly%20re-added%20users%20we%20saw%20deletes%20stop%20for%20a%20while%20and%20thought%20we%20had%20identified%20a%20specific%20user%2C%20but%20today%20confirmed%20that%20is%20not%20the%20case%20-%20there's%20no%20specific%20user%20that%20appears%20to%20be%20the%20cause.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHelp%3F%20Any%20ideas%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-836080%22%20slang%3D%22en-US%22%3ERe%3A%20Shared%20mailbox%20messages%20going%20to%20recoverable%20deleted%20items%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-836080%22%20slang%3D%22en-US%22%3E%3CP%3EMailbox%20Auditing%20is%20the%20correct%20method%20to%20troubleshoot%20this%2C%20but%20I'd%20suggest%20you%20also%20check%20for%20any%20retention%20policies%20applied%20on%20the%20mailbox.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20Hard-delete%20corresponds%20to%20the%20message%20being%20Purged%20(moved%20to%20the%20Purges%20folder%20is%20SIR%2Fhold%20is%20configured%20for%20the%20mailbox)%2C%20not%20to%20moving%20messages%20to%20the%20Recoverable%20Items%20folder.%20That%20last%20one%20is%20still%20a%20soft-delete%20operation.%20Make%20sure%20all%20of%20these%20operations%20are%20actually%20being%20audited.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2100907%22%20slang%3D%22en-US%22%3ERe%3A%20Shared%20mailbox%20messages%20going%20to%20recoverable%20deleted%20items%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2100907%22%20slang%3D%22en-US%22%3EDid%20you%20find%20a%20resolution%20for%20this%3F%20I%20have%20a%20very%20similar%20issue%20giving%20me%20grey%20hairs!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2256525%22%20slang%3D%22en-US%22%3ERe%3A%20Shared%20mailbox%20messages%20going%20to%20recoverable%20deleted%20items%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2256525%22%20slang%3D%22en-US%22%3EI%20have%20a%20similar%20issue%20as%20well.%20I%20have%20a%20user%20moving%20an%20email%20from%20the%20shared%20mailbox's%20Inbox%20to%20a%20sub%20folder%20in%20the%20shared%20mailbox%20by%20dragging%20and%20dropping.%20It%20shows%20up%20in%20the%20recoverable%20deleted%20items%20and%20in%20the%20audit%20log%20as%20a%20soft-delete.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi!

 

Trying to solve an issue that's plagued me for a couple weeks. We have a shared mailbox hosted in Exchange Online that receives customer orders. We're discovering that many orders are somehow landing in the recoverable items section of deleted items and we've yet to find a root cause. Things I've tried:

 

1. Disable, then deleted, all mailbox-level rules on the shared mailbox.

2. Tried to get audit logs from protection.office.com - no results available.

3. Eventually stumbled on this article which lets me export logs to a CSV.

 

https://support.microsoft.com/en-us/help/4021960/how-to-use-mailbox-audit-logs-in-office-365


However the logs are somewhat inconclusive. I see some actions like "SoftDelete" from users (which I think would not move the email to recoverable deleted items). I also see "MoveToDeletedItems" and "HardDelete". However there's only a handful of hard deletes - not enough to account for the hundreds of emails showing in recoverable deleted items.

4. Reset all users passwords.

5. Had their supervisor remind them no emails should be deleted, only moved to a folder called "Completed". Multiple users insist they understand this protocol and are following it.

6. Checked several suspect users in the audit log for Outlook issues, rules, ignore, or other reasons that might be causing it. Rebuilt a suspect user's Outlook profile.

7. Ran Get-InboxRule to see if there were any additional rules

8. Ran outlook.exe /cleanconvongoingactions to remove any ignores

9. Remove all mailbox permissions except for system ones (e.g. NT Authority\SELF, NAMPRD02\Exchange Users, etc.). Re-add to try to identify which users are causing deletes. As we've slowly re-added users we saw deletes stop for a while and thought we had identified a specific user, but today confirmed that is not the case - there's no specific user that appears to be the cause. 

 

Help? Any ideas? 

4 Replies

Mailbox Auditing is the correct method to troubleshoot this, but I'd suggest you also check for any retention policies applied on the mailbox.

 

Also, Hard-delete corresponds to the message being Purged (moved to the Purges folder is SIR/hold is configured for the mailbox), not to moving messages to the Recoverable Items folder. That last one is still a soft-delete operation. Make sure all of these operations are actually being audited.

Did you find a resolution for this? I have a very similar issue giving me grey hairs!
I have a similar issue as well. I have a user moving an email from the shared mailbox's Inbox to a sub folder in the shared mailbox by dragging and dropping. It shows up in the recoverable deleted items and in the audit log as a soft-delete.

Hi Guys, there's a registry change I found which fixed for me: 

 

If the user has at least author rights to the shared mailbox's Deleted Items folder, the deleted items can go into the shared mailbox's deleted items folder. You (or the administrator) need to add this key to the registry.

Outlook 2016 and Outlook 2019

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Options\General
DWORD: DelegateWastebasketStyle
Value: 4 (use shared mailbox's Deleted items)
8 (use the default (or user's) deleted items folder)

@EEH18 

I can't see this working however with OWA or o365 online