Any Exchange admins out there? A question for you guys...

[jenksdrummer]

Are you familar with deleted items retention policy? As I said before, if enabled, nothing is deleted, at least until the rentention period is over. You can increase that 4 weeks, 8 weeks, etc. There is no "dumpster" in Exchange as far as I know.

Yeah, there's a dumpster. I wish I could give you screenshots, but we're using Exchange 2007 now and it's quite different.

Look up the EXMERGE utility, when you run it, there's a tab to recover dumpster items, which are items the user has deleted, but are held with the server's retention policy.

The client retention policy has to be done seperately with a folder-based policy, AFAIK - I have that set to 90 days, and the deleted item retention policy on the server set to 45 days. We send off a monthly tape for permanent off-site storage, so, in theory, it should be there.

I've been recently tasked to make sure this is true

[Andersonology]

Yeah, there's a dumpster. I wish I could give you screenshots, but we're using Exchange 2007 now and it's quite different. Look up the EXMERGE utility, when you run it, there's a tab to recover dumpster items, which are items the user has deleted, but are held with the server's retention policy. The client retention policy has to be done seperately with a folder-based policy, AFAIK - I have that set to 90 days, and the deleted item retention policy on the server set to 45 days. We send off a monthly tape for permanent off-site storage, so, in theory, it should be there. I've been recently tasked to make sure this is true

Oh ok, I haven't used 2007 yet.

[MattACaster]

I ended up creating a dummy email account (Rusty Shackleford for all you King of the Hill fans out there) and enabled email forwarding on the users account in question. So it's now delivering to the users mailbox and forwarding a copy of everything to Rusty.

[Andersonology]

I ended up creating a dummy email account (Rusty Shackleford for all you King of the Hill fans out there) and enabled email forwarding on the users account in question. So it's now delivering to the users mailbox and forwarding a copy of everything to Rusty.

But you're only seeing incoming items that way, not anything the person sent. Journaling is the only way to see all items, incoming & outgoing.

[GodBlessTexas]

I do. Basically, we are trying to dig up dirt to get this person (who is pretty high up) out of the company. It's a whole big mess....

 

I do forensics and e-discovery professionally, so here's my advice.

 

Make sure you get something in writing from your company's legal department before you do anything. This is a very sticky legal situation that can land you in trouble if not done properly. When in doubt, get authorization from legal so that the onus is on them and not you. Hopefully your company's policies state that all e-mail/communications are owned by the company and subject to review/monitoring. If not, you have a legal problem. Even though the company owns the resources, the courts have ruled that users must be notified that they have no expectation of privacy while using those resources. No matter what, document everything: the request to do the work, responses from legal, explicit authorization from your management to do what needs to be done. It's the best way to stay out of legal trouble if something goes wrong.

 

Secondly, which version of Exchange? Exchange 2003 supports archiving all incoming and outgoing messages to a separate mailbox. Load ESM and then select "archive all messages sent or received" in the mailbox store properties and select a mailbox. In Exchange 2007 you can do it with Transport Rules, but I'm not sure of the specifics since I haven't used anything since Exchange 2003.

 

For old stuff, user Exmerge.exe to copy the old mailbox file to another storage group and then give yourself access to it in AD.

 

Again, do not do anything without your company's legal counsel giving you blessing.

 

EDIT: I see beyond my legal advice, everything else has been covered. That's what I get for not reading the entire thread before posting.

[MattACaster]

But you're only seeing incoming items that way, not anything the person sent. Journaling is the only way to see all items, incoming & outgoing.

 

 

 

Thats a good point...

 

I guess I'll go for journaling...

[HPLovecraft]

Tell her, that her system is sending virus/spam messages, IT has it logged at the server and IT needs it to be cleaned, it is a nasty one and if you do it wrong she could frag her system, so she needs to give it to IT.

 

If she asks is this something going around you say a couple of people have it but not many.

 

When she gives it to you, do a complete dump of her email, then you start backing up her mailbox as often as you need, restore the backups from and read everything, sent and kept.

 

If you do not have permission, or if you get caught doing this or there is some political fallout, your ass is fried, period, you WILL be the scape goat.

 

 

Make sure you get something in writing from your company's legal department before you do anything. This is a very sticky legal situation that can land you in trouble if not done properly. When in doubt, get authorization from legal so that the onus is on them and not you. Hopefully your company's policies state that all e-mail/communications are owned by the company and subject to review/monitoring. If not, you have a legal problem. Even though the company owns the resources, the courts have ruled that users must be notified that they have no expectation of privacy while using those resources. No matter what, document everything: the request to do the work, responses from legal, explicit authorization from your management to do what needs to be done. It's the best way to stay out of legal trouble if something goes wrong.

 

 

I would not touch the thing without this, PERIOD. Actually, if there is fallout and you are out'd, your career there is probably limited anyway.

 

Have Fun!