1

All,

I need to determine if emails have been sent to an external address from our Exchange server. Unfortunately, there is no specific sender to target as there could be multiple people who sent mail to this external address.

I have done some digging but unfortunately, I am unable to find a script that works. I have tried some scripts based off of a few articles (Changed the users email to a dummy one below). I would appreciate any advice. Thanks.

Get-MessageTrackingLog –ResultSize Unlimited | Where -Property Recipients -Like
 “suspectacct@gmail.com”

or

Get-MessageTrackingLog -Recipients suspectacct@gmail.com

....

Jeter-work
  • 845
  • 4
  • 15
Exch1
  • 11
  • 1

1 Answers1

0

You seem to be mixing Get-MessageTrackingLog parameters (-Property) with the Where-Object cmdlet. So we'll move that back to the Get-MessageTrackingLog part of the oneliner (if Recipients is a default property, we don't need it at all). Then we can use Recipients in the Where-Object filter.

First, confirm that Recipients is not a default property, use:

Get-MessageTrackingLog | Get-Member

If it is not, use:

Get-MessageTrackingLog –ResultSize Unlimited -Property Recipients | 
    Where Recipients -Like “suspectacct@gmail.com”

Else, if it IS a default property use:

Get-MessageTrackingLog –ResultSize Unlimited | 
    Where Recipients -Like “suspectacct@gmail.com”

This command would get all the message tracking logs and pipe them to the where-object command including the Recipients property. The Where-Object clause would look for messages with recipients including "suspectacct@gmail.com".

docs.microsoft reference for Get-Object.

-ResultSize Unlimited is going to give you a very large data set. Highly recommend using some of the other properties to limit it.

docs.microsoft reference for Get-MessageTrackingLog

A quick rundown of the parameters shows that there's a parameter that lets you specify recipients. Named -Recipients. So you might be able to simplify this to:

Get-MessageTrackingLog -ResultSize Unlimited -Recipients "suspectacct@gmail.com*"

If this works it will be significantly more time and processor efficient than a full dump and that's exactly what Get-MessageTrackingLog -ResultSize Unlimited with no constraints will give you.

I have found that Where-Ojbect aka where is one of the most powerful cmdlets in PowerShell, along with the import/export CSV cmdlets and Get-Help and Get-Member.

Jeter-work
  • 845
  • 4
  • 15
  • Hello Xalorous - Thank you for your help and detailed explanation on this. Right now, I am going through the the links you provided to better understand the commands. If I run the very last (simplified) command, it does seem like its working to get the results but I get an error that "There are more results available than currently displayed.....". This even when I set a value of items to return. If I do the command without the -property flag, it gives me the progress bar but outputs no results. Is there something else i'm missing? – Exch1 Aug 10 '18 at 17:04
  • Fixed typo in the last command (@gmail). – Jeter-work Aug 10 '18 at 17:08
  • I think if it shows a progress bar then no results that it's not successfully matching anything. You should definitely add start and end dates and any other kind of filters you can, especially if you're running this on a production server. "Get-MessageTrackingLog -ResultSize Unlimited" gives you the entire log. If you can bracket the date and any other filters to get it down to a smaller dataset, you will impact the server less. – Jeter-work Aug 10 '18 at 17:44