2

So i have enabled MailboxAuditLogging for the administrator mailbox and another testuser. If i make changes in OWA the events are recorded in the audit logs. But any changes that are made in Outlook (for example folder deletion / creation) will not get logged at all.

Here is the Audit configuration for one of the users: 

AuditEnabled     : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate    : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditOwner       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, Create}

Update: After a bit more testing i now got a AuditlogEntry from Outlook (SoftDelete) but other MoveToDeletedItems entries still are not created when I delete the Folders in Outlook.

I check for creation via the size of the Audits folder in the Mailbox.

Paul
  • 161
  • 1
  • 1
  • 8

1 Answers1

0

I'm having the same issue. One thing I noticed while troubleshooting is that when a user deletes an email from the shared mailbox in Outlook, the email gets put into their personal Deleted Items instead of the shared folder's Deleted Items as you might expect. I found this article describing the behavior and fix: https://support.microsoft.com/en-us/help/202517/items-that-are-deleted-from-a-shared-mailbox-go-to-the-wrong-folder-in

Since I have the Office 2016 Group Policy Template installed on our domain controller, I was able to create a policy with User Configuration\Administrative Templates\Microsoft Outlook 2016\Outlook Options\Delegates\Store deleted items in owner's mailbox instead of delegate's mailbox set to enabled. After closing Outlook and applying Group Policy, emails that were deleted after that point went into the shared folder's Deleted Items. This also resulted in most of the audit functionality working, but with a couple quirks. SoftDelete and MoveToDeletedItems are working for deleted emails, although sometimes it will show a SoftDelete and a Create event being logged as Outlook 'creates' the email in the shared folder's Deleted Items. I'm still unable to get it to create a log entry for folder creation and deletion, though, so it's still only partially functional. Hopefully this is at least a stepping stone for me or someone else to figure out the rest of the functionality.

Chris
  • 63
  • 2
  • 7