My company is using Exchange 2007, Windows 2008 Server, Outlook 2007. One specific user claims she never received an important email. Using the Message Tracker in Exchange, I can see that the message was delivered (EventID: DELIVER Source:STOREDRIVER) to the correct person.
I'd like to be able to determine if the message was deleted or moved (or read) after it was delivered. Is there any way to track this, short of entering the user's mailbox and searching all folders and the Delete Retention?
Update The User says the message "showed up in my inbox this morning. I know it wasn’t there all weekend. Something weird is going on with my inbox." Issue resolved IMO.
If your logs are showing the mail was delivered to the SERVER then I think the only step beyond that (if you choose to do so) is to look in the user's mailbox, etc.
This sounds like a bit of an "office politics" thing, am I correct?
If that's the case then I personally would probably just stop at this point and show the email was deleivered to the server and leave it at that. Trying to prove users are lying never ends up good.
People like to blame "computers" for everything. ;-)
I recently had a case where a user "stored" emails in their "Trash" folder (don't ask why) and then lost over 600 of their "stored" emails when the trash folder was deleted. They INSISTED someone logged into their email account and emptied the trash.
Aside from the obvious (DON'T save things in your TRASH folder) I was able to prove it was NOT conspiracy by grabbing screen shots and the proxy log for that computer. The user CLEARLY (accidentally) deleted their own Trash folder. (web based email client)
Their response... "Well I don't know if I was FOR SURE sitting at my PC between 4:45pm and 5:00pm... someone could have come along and deleted it!"
At this point its very important to just "state the facts". I'm not saying YOU did it... I'm saying that YOUR PC issued a deleteFolder command at exactly 4:47pm. So, whoever was sitting at your desk at 4:47pm did it.
End of story. ;-)
In the cases I've had of this (i.e. "I never got the message!"), I've always stopped at "I can see on the server that it was delivered to your mailbox. There are things that could have happened at that point, but I can't be sure what might have happened if you didn't see it."
One thing you need to check is if the user has any Outlook rules that automatically moved or deleted the message.
We had the company president "storing" messages in his Trash folder once... Right up until the day his assistant emptied the Trash. Then we spent some time with both of them helping them figure out a folder structure that they could both live with.
One last anecdote: the Vice President's assistant at the time didn't trust her boss to keep the right messages, so we set up a mailbox that duplicated all his messages for her to work with. She'd keep everything, even if he deleted stuff.
Just a thought, do you have anti-virus on email that could have deleted/moved it without their knowledge? Usually there is a notification, but hey maybe?
She might have accidentally checked the "Work offline" option. It might be that she never actually got the message all weekend.
We had one user complaining about this and what we found was that she had been creating Rules everytime she wanted to archive a particular mail. So instead of right clicking a mail choosing Move then selecting the folder in their achieve they were choose, Rules and always move messages from this sender then selecting the folder in their archive. So as soon as mails were getting delivered they were then being moved to archive folders. She had loads and loads of rules called Accounts, Accounts (1), Accounts (2) etc etc.