Recently, I've taken over servicing a family company 2008 Server R2. A few years ago an employee with a company Outlook acct, embezzled from the company among other bad practices. The Active Directory, still retains the former employee's user account and I've enabled, and reset the password through the active directory. The CEO is needs a copy of an e-mail sent (possibly incriminating). I need advice on retrieving the acct and access to it. The employee was a salesman and did not have a local machine within the office., so I've no access to an HDD to perform any digital forensics on it. The employee had to have used the exchange server. I thought about adding a local machine under my user name and going through the exchange settings to change the permissions in order to access them. It would be some work, but would appreciate if anyone has any advice as to whether there is another preferably simpler way to do this. I've already tried logging in under the exchange as the user name and new password, but to no avail. I'm hoping the acct is still stored on the server, even if it is stored within a back-up. Thank you.

you probably will have to sift through backups, could take a lot of work, for nothing

Hi,

it may be better to consider the it's not actually an Outlook account, but is an Active Directory account, attached to an Exchange mailbox. If you are needing to access the details/data of that mailbox (incoming emails, outgoing emails, stored emails, etc), that information will be in the Exchange message store and/or it may have been "delivered" to a local PST file on a workstation computer, depending upon the configuration of the Outlook client settings profile where the account was used.

So the focus may need to be on the Exchange server, if the workstation used at the time, is unavailable.

You would be best to seek assistance with the Exchange server aspects/possibilities, in the Exchange forums.

You may be able to perform a redirected-restore of the user mailbox, from backups, depending on the type of backups used for protecting the Exchange server. Some backup solutions might require you to restore the whole server backup to a duplicated Windows server (e.g. if the backup solution doesn't perform brick-level backups you will need to restore the whole exchange server, to a temporary server)

Thanks Don & VF,

I've been looking at the workstation and concentrating there, when I thought that maybe I should be looking more or less into the Exchange. The backups should get me access so long as I can find the right date (won't be hard). I will probably have to deploy the back-up a duplicated Exchange server. I've got the capability to set-up a physical temporary server (edit: It just now occurred to me. I may be able to VM it. Just ordered more RAM.) , so hopefully a back-up image will work, though the hardware would be different (but shouldn't matter if it's an Exchange server image right?). While I was on the server today I found the user's Outlook profile links, but they were "broken" and prompted to "fix". That did not work, but it gives me hope that an older back-up just might work. For the CEO, it's worth it to dig into this. We know there is one e-mail in particular, so it's something I'm having to pursue regardless of how painstaking. It will certainly be a learning experience for me.

• Edited by tmoody22 8 hours 33 minutes ago