We have exchange server 2013, and a user who accesses his mailbox from an iPhone, an Outlook 2013 client, and an Outlook 2010 client. Around 10 times over the last month, he has claimed that his mailbox has been fully erased, and only new emails are showing up. Each time, we restored his emails from a backup, but this is getting excessive now. No one else in our company has this issue (100 mailboxes).

Is there a way to log when an email is deleted from a mailbox, and where the command to delete it came from?

You can up to certain level...

Mailbox audit logging - https://technet.microsoft.com/en-us/library/ff459237%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

Enable or disable mailbox audit logging for a mailbox - https://technet.microsoft.com/en-us/library/ff461937(v=exchg.150).aspx

But I would also ask him to remove his iPhone from accessing mailbox, that would make things easier to see if problem goes away after t

Oh yeh and btw, by default owner entries are not logged in so you need to add actions for owner to get logged.

Set-Mailbox UserName -AuditEnabled $true -AuditOwner "HardDelete, Movetodeleteditems, softdelete

Great points from Amit and you also may want to look at the Exchange settings on the iPhone and configure it to only delete the representation of the items on the phone and not from the actual mailbox.  This would at least allow them functionality on the phone without effecting the MB

Fantastic! I've enabled mailbox auditing for the owner.

What is the best way to view that information? I ran a command to view the logs:

Search-MailboxAuditLog
-Identity user -LogonTypes Owner StartDate (Get-Date).AddHours(-1)
ShowDetails

But it doesn't present in a clean format. Also, each log has many lines, and the exchange shell only lets you scroll so far. Can these logs be exported to a more viewable format? Maybe .csv? I saw how to do it through the Exchange Admin Console, but that is only for reports on non-owners.

So the user has lost all emails in his mailbox again. I ran a report on the audit logs, and it shows that the command to delete the emails is coming from "activesync" around midnight. There is no originating IP address. Anyone know why this might be?

Hi,

Please post some results of mailbox auditing for us.

If the activesync deletes the emails around midnight based on the audit logs, I suggest to disable the activesync for this user to check this issue.

Set-CASMailbox UserName ActiveSyncEnabled $false

Best Regards.

I have omitted some info, and put clarification in ((double parenthesis)).

RunspaceId                    : 217ef65c-e4ca-4d75-8d84-7a6ef45f6c20
Operation                     : SoftDelete
OperationResult               : Succeeded
LogonType                     : Owner
ExternalAccess                : False
DestFolderId                  :
DestFolderPathName            :
FolderId                      : LgAAAABsx2MacFPsRIK3DLvd+onBAQBDqvVDO86+TbGlDcTOD0ENAAAAAAEKAAAB
FolderPathName                : \Deleted Items
ClientInfoString              : Client=ActiveSync;User=((The user's e-mail address))
ClientIPAddress               : ::1
ClientMachineName             :
ClientProcessName             :
ClientVersion                 :
InternalLogonType             : Owner
MailboxOwnerUPN               : ((The user's e-mail address))
MailboxOwnerSid               : S-1-5-21-854245398-861567501-1801674531-8779
DestMailboxOwnerUPN           :
DestMailboxOwnerSid           :
DestMailboxGuid               :
CrossMailboxOperation         : False
LogonUserDisplayName          : ((The user's name))
LogonUserSid                  : S-1-5-21-854245398-861567501-1801674531-8779
SourceItems                   : {RgAAAABsx2MacFPsRIK3DLvd+onBBwBDqvVDO86+TbGlDcTOD0ENAAAAAAEKAABDqvVDO86+TbGlDcTOD0ENAA
                                BJ7ufKAAAJ}
SourceFolders                 : {}
SourceItemIdsList             : RgAAAABsx2MacFPsRIK3DLvd+onBBwBDqvVDO86+TbGlDcTOD0ENAAAAAAEKAABDqvVDO86+TbGlDcTOD0ENAAB
                                J7ufKAAAJ
SourceItemSubjectsList        : test
SourceItemFolderPathNamesList : Deleted Items
SourceFolderIdsList           :
SourceFolderPathNamesList     :
ItemId                        :
ItemSubject                   :
DirtyProperties               :
OriginatingServer             : VIREX01 (15.00.1044.021)
MailboxGuid                   : e76eb705-9170-4221-9438-ec5e69943176
MailboxResolvedOwnerName      : ((The user's name))
LastAccessed                  : 7/18/2015 8:52:24 PM
Identity                      : AAMkADAzNDhmMmNlLWIzMGMtNGE1My1hY2I4LTc4NGMyZGFhYjg1NQBGAAAAAABsx2MacFPsRIK3DLvd+onBBwB
                                DqvVDO86+TbGlDcTOD0ENAABJ2GsSAABDqvVDO86+TbGlDcTOD0ENAABJ8NdMAAA=
IsValid                       : True
ObjectState                   : New

You might need to check the device level settings on his iPhone and possible disable the ActiveSync and ask user to see behavior for few days, if nothing is getting erased then blame some of the iPhone setting... ;)

May be he enabled Auto Archive in outlook

Open his outlook - file -> outlook options -> click Advanced -> Check Auto Archive then click AutoArchive Settings,

verify Run AutoArchive every is enable and verify enable Permanently delete old items. Please disable this settings and then try again

regards,

Joby

I would tend to lean in the Direction of Amits suggestion since Outlook doesn't use ActiveSync to connect and you have already established that this is happening in ActiveSync.  I would look into the users Exchange Connection settings on their iPhone and also inquire if they have an iPad setup for access as well

I'd like to thank everyone for their help, without you I wouldn't have been able to solve the issue. Turns out that someone is maliciously deleting emails from the inbox. We set up remote monitoring software on the user's computer and watched as they deleted them all. Crazy world we live in huh?

Is there any way to prevent the owner of a mailbox from deleting ANY emails? But still allow them to create new emails and read old ones?

Unfortunately no, but you can put user mailbox in Litigation hold so that you don't have to restore things frequently and get everything from dumpster....

All you need to know about Litigation Hold is here...

http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/exchange-2010-litigation-hold-part1.html

BTW, don't forgot to put surveillance cameras around user's computer ;-)

Amit is correct and the only other thing you could do is turn on audit logging https://technet.microsoft.com/en-us/library/Ff459237%28v=EXCHG.150%29.aspx?f=255&MSPPError=-2147217396