Determine who deleted files

In the box under Activity column header, type Set-Mailbox so that only audit records related to the Set-Mailbox cmdlet are displayed. At this point, you have to look at the details of each audit record to determine if the activity is related to email forwarding. Select the audit record to display the Details flyout page, and then select More information. The following screenshot and descriptions highlight the information that indicates email forwarding was set on the mailbox.

In the ObjectId field, the alias of the mailbox that email forwarding was set on is displayed. This mailbox is also displayed on the Item column in the search results page. In the Parameters field, The value ForwardingSmtpAddress indicates that email forwarding was set on the mailbox. In this example, mail is being forwarded to the email address mike contoso.

The True value for the DeliverToMailboxAndForward parameter indicates that a copy of the message is delivered to sarad alpinehouse. If the value for the DeliverToMailboxAndForward parameter is set to False , then email is only forwarded to the address specified by the ForwardingSmtpAddress parameter. It's not delivered to the mailbox specified in the ObjectId field.

The UserId field indicates the user who set email forwarding on the mailbox specified in the ObjectId field. This user is also displayed in the User column on the search results page.

In this case, it seems that the owner of the mailbox set email forwarding on her mailbox. If you determine that email forwarding shouldn't be set on the mailbox, you can remove it by running the following command in Exchange Online PowerShell:. For more information about the parameters related to email forwarding, see the Set-Mailbox article. Starting in January , Microsoft is turning on mailbox audit logging by default for all Office and Microsoft organizations.

This means that certain actions performed by mailbox owners are automatically logged, and the corresponding mailbox audit records are available when you search for them in the mailbox audit log. Before mailbox auditing was turned on by default, you had to manually enable it for every user mailbox in your organization. The mailbox actions logged by default include the SoftDelete and HardDelete mailbox actions performed by mailbox owners.

This means you can use the following steps to search the audit log for events related to deleted email items. For more information about mailbox auditing on by default, see Manage mailbox auditing.

Activities: Under Exchange mailbox activities , select one or both of the following activities:. Deleted messages from Deleted Items folder: This activity corresponds to the SoftDelete mailbox auditing action.

After an item is permanently deleted, the user can recover it until the deleted item retention period expires. Purged messages from mailbox: This activity corresponds to the HardDelete mailbox auditing action. This is logged when a user purges an item from the Recoverable Items folder.

Admins can use the Content Search tool in the security and compliance center to search for and recover purged items until the deleted item retention period expires or longer if the user's mailbox is on hold.

Users: If you select a user in this field, the audit log search tool returns audit records for email items that were deleted SoftDeleted or HardDeleted by the user you specify. Sometimes the user who deletes an email might not be the mailbox owner. After you run the search, you can filter the search results to display the audit records for soft-deleted items or for hard-deleted items.

Additional information about the deleted item, such as the subject line and the location of the item when it was deleted, is displayed in the AffectedItems field. The following screenshots show an example of the AffectedItems field from a soft-deleted item and a hard-deleted item.

Users can recover soft-deleted items if the deleted items retention period has not expired. In Exchange Online, the default deleted items retention period is 14 days, but admins can increase this setting to a maximum of 30 days. Point users to the Recover deleted items or email in Outlook on the web article for instructions on recovering deleted items.

As previously explained, admins may be able to recover hard-deleted items if the deleted item retention period hasn't expired or if the mailbox is on hold, in which case items are kept until the hold duration expires.

When you run a content search, soft-deleted and hard-deleted items in the Recoverable Items folder are returned in the search results if they match the search query. For more information about running content searches, see Content Search in Office To search for deleted email items, search for all or part of the subject line that's displayed in the AffectedItems field in the audit record.

When users create an inbox rule for their Exchange Online mailbox, a corresponding audit record is saved to the audit log. For more information about inbox rules, see:.

This activity returns audit records when inbox rules are created using Outlook web app or Exchange Online PowerShell. Updated inbox rules from Outlook client. This activity returns audit records when inbox rules are created, modified, or removed using the Outlook desktop client. Users: Unless you're investigating a specific user, leave this field blank.

This helps you identify new inbox rules set up by any user. After you run the search, any audit records for this activity are displayed in the search results. Select an audit record to display the Details flyout page, and then select More information.

Information about the inbox rule settings is displayed in the Parameters field. The following screenshot and descriptions highlight the information about inbox rules. In the ObjectId field, the full name of the inbox rule is displayed. This name includes the alias of the user's mailbox for example, SaraD and the name of the inbox rule for example, "Move messages from admin".

In the Parameters field, the condition of the inbox rule is displayed. In this example, the condition is specified by the From parameter. The value defined for the From parameter indicates that the inbox rule acts on email sent by admin alpinehouse.

For a complete list of the parameters that can be used to define conditions of inbox rules, see the New-InboxRule article. The MoveToFolder parameter specifies the action for the inbox rule. Good luck! In this article, I will try to explain a technique available on the Windows machine to find out who deleted the file. The urge for writing this article comes from an issue in our production environment and it might be useful for readers if ever they encounter such an issue.

Our problem started when one of our production servers went out of the load balancer. We had recently deployed an Asp. In a self-contained deployment, the complete. In our scenario, the exe was being deleted, which was causing Since the production server has restricted access, it wasn't possible that a user was deleting the file. It was a sporadic delete operation and happened on some servers while others were working fine. This was the inspiration for identifying how the exe was getting deleted.

If you are interested in more details, then refer the GitHub issue. If you couldn't follow the above reasoning, you may be able to possibly relate to the following scenario where the need to find out who deleted the file is important. Windows offers the built-in Audit feature using various policies which allow us to audit the access requests, audit login, process tracking, and more.

Note You will require the Admin permissions on the machine where the File Auditing needs to be set up. Operating Systems offers the functionality to track various file operations. Windows uses the concepts of Policies to manage various settings which influence what can be done on the machine. Wikipedia defines the Group Policy as, "a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts.

Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast Making Agile work for data science. Stack Gives Back Featured on Meta. New post summary designs on greatest hits now, everywhere else eventually. Related Hot Network Questions.

Question feed.