09-03-2019 02:11 PM
09-03-2019 02:11 PM
Trying to solve an issue that's plagued me for a couple weeks. We have a shared mailbox hosted in Exchange Online that receives customer orders. We're discovering that many orders are somehow landing in the recoverable items section of deleted items and we've yet to find a root cause. Things I've tried:
1. Disable, then deleted, all mailbox-level rules on the shared mailbox.
2. Tried to get audit logs from protection.office.com - no results available.
3. Eventually stumbled on this article which lets me export logs to a CSV.
However the logs are somewhat inconclusive. I see some actions like "SoftDelete" from users (which I think would not move the email to recoverable deleted items). I also see "MoveToDeletedItems" and "HardDelete". However there's only a handful of hard deletes - not enough to account for the hundreds of emails showing in recoverable deleted items.
4. Reset all users passwords.
5. Had their supervisor remind them no emails should be deleted, only moved to a folder called "Completed". Multiple users insist they understand this protocol and are following it.
6. Checked several suspect users in the audit log for Outlook issues, rules, ignore, or other reasons that might be causing it. Rebuilt a suspect user's Outlook profile.
7. Ran Get-InboxRule to see if there were any additional rules
8. Ran outlook.exe /cleanconvongoingactions to remove any ignores
9. Remove all mailbox permissions except for system ones (e.g. NT Authority\SELF, NAMPRD02\Exchange Users, etc.). Re-add to try to identify which users are causing deletes. As we've slowly re-added users we saw deletes stop for a while and thought we had identified a specific user, but today confirmed that is not the case - there's no specific user that appears to be the cause.
Help? Any ideas?
09-04-2019 01:04 AM
Mailbox Auditing is the correct method to troubleshoot this, but I'd suggest you also check for any retention policies applied on the mailbox.
Also, Hard-delete corresponds to the message being Purged (moved to the Purges folder is SIR/hold is configured for the mailbox), not to moving messages to the Recoverable Items folder. That last one is still a soft-delete operation. Make sure all of these operations are actually being audited.