Skip to main content

Displaying deleted public folder tracking information via script in Exchange 2003 sp2

One of the new features introduced in ex 2003 sp2 is the ability to track public folder deletes. To turn this on you need to turn diagnostic logging on the public store general category to at least medium. For more details on this see the F1 help and look for the topic “Track Public Folder Deletions”. Once this option is turned on, when someone deletes a public folder Exchange then logs an event of type 9682 into the Application log on the server which tells you which folder was deleted and by whom it was deleted. Having this information in the event log is useful but for reporting purposes and proactive management (eg tracking folders that shouldn’t have been deleted) it’s a little impractical. So what I’ve come up with is a script that queries the eventlog on a server for a specified number of days retrieves any public folder delete entries parses all the values out and creates a CSV file with the result. It also outputs the result to the command line

The script itself is very simple it takes two commandline parameters which is the name of the server you want to query and the time period in days you want to query for. Then it does a semi-sync query of the Application log via WMI for any 9682 messages logged within the specified time period. It then parses the folder name, folder id, the mailbox that deleted the folder (displayed as the LegacyDN value) and also the username of the user that deleted the mailbox. The parser works by parsing the log message based on the static elements in the log format. The results are finally echoed to the console and then written to a csv file called pfdeletes.csv.

I’m working on a extended version of this script that uses the information retrieved from the event log to then query the folder dumpster of the parent folder that was deleted to get extra information about the folder such as how big it was, how many items where in the folder, who created it and maybe who the folder contacts are.

I’ve put a downloadable copy of the script here the script itself looks like the following to run the script requires two command-line parameters the servername and the number of days to query eg to query the log for the last 7 days it would look like

Cscript showpfdeletes.vbs servername 7

days = wscript.arguments(1)
servername = wscript.arguments(0)
SB = 0
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\PfDeletes.csv",2,true)
dtmStartDate = CDate(Date) - days
dtmStartDate = Year(dtmStartDate) & Right( "00" & Month(dtmStartDate), 2) & Right( "00" & Day(dtmStartDate), 2)
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & servername & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery("Select Timewritten,Message from Win32_NTLogEvent Where Logfile='Application' and Eventcode = '9682' and TimeWritten >= '" & dtmStartDate & "' ",,48)
wscript.echo "Date Deleted FolderName FolderID Deleter-Mbox Deleter-UserName"
For Each objEvent in colLoggedEvents
SB = 1
Time_Written = cdate(DateSerial(Left(objEvent.TimeWritten, 4), Mid(objEvent.TimeWritten, 5, 2), Mid(objEvent.TimeWritten, 7, 2)) & " " & timeserial(Mid(objEvent.TimeWritten, 9, 2),Mid(objEvent.TimeWritten, 11, 2),Mid(objEvent.TimeWritten,13, 2)))
FolderName = Mid(objEvent.Message,8,instr(objEvent.Message,"with folder")-9)
FolderID = Mid(objEvent.Message,instr(objEvent.Message,"with folder ID")+15,(instr(objEvent.Message,"was deleted by")-(instr(objEvent.Message,"with folder ID")+16)))
MailboxName = Mid(objEvent.Message,instr(objEvent.Message,"was deleted by")+15,instr(objEvent.Message,", user account")-(instr(objEvent.Message,"was deleted by")+15))
UserName = Mid(objEvent.Message,instr(objEvent.Message,", user account")+15,(instr(objEvent.Message,chr(13))-(instr(objEvent.Message,", user account")+16)))
wscript.echo Time_Written & " " & FolderName & " " & FolderID & " " & MailboxName & " " & UserName
wfile.writeline(Time_Written & "," & FolderName & "," & FolderID & "," & MailboxName & "," & UserName)
set wfile = nothing
if SB = 0 then wscript.echo "No Public Folder Deletes recorded in the last " & days & " Days"

Popular posts from this blog

Vb.NET sample for getting the number of Unread messages from an inbox using Impersonation with Exchange Web Services

Although im not a great user of VB any more there does seem to be a bit of a dirth of samples for those people who haven't made the leap to using C#. So here's something that might fill the void for a few people I've put a donwload of this code here the code itself looks like Imports ewsvbsamp.ews Imports System.Net Imports System.Net.Security Imports System.Security.Cryptography.X509Certificates Module Module1 Sub Main() Console.WriteLine(GetUnreadEmailCount("")) End Sub Public Function GetUnreadEmailCount(ByVal emailaddress As String) As Integer Dim UnreadCount As Integer = 0 ServicePointManager.ServerCertificateValidationCallback = New RemoteCertificateValidationCallback(AddressOf ValidateCertificate) Dim esb As New ExchangeServiceBinding esb.RequestServerVersionValue = New RequestServerVersion esb.RequestServerVersionValue.Version = ExchangeVersionType.Exchange2007_SP1 esb.Crede

The MailboxConcurrency limit and using Batching in the Microsoft Graph API

If your getting an error such as Application is over its MailboxConcurrency limit while using the Microsoft Graph API this post may help you understand why. Background   The Mailbox  concurrency limit when your using the Graph API is 4 as per . This is evaluated for each app ID and mailbox combination so this means you can have different apps running under the same credentials and the poor behavior of one won't cause the other to be throttled. If you compared that to EWS you could have up to 27 concurrent connections but they are shared across all apps on a first come first served basis. Batching Batching in the Graph API is a way of combining multiple requests into a single HTTP request. Batching in the Exchange Mail API's EWS and MAPI has been around for a long time and its common, for email Apps to process large numbers of smaller items for a variety of reasons.  Batching in the Graph is limited to a m

How to test SMTP using Opportunistic TLS with Powershell and grab the public certificate a SMTP server is using

Most email services these day employ Opportunistic TLS when trying to send Messages which means that wherever possible the Messages will be encrypted rather then the plain text legacy of SMTP.  This method was defined in RFC 3207 "SMTP Service Extension for Secure SMTP over Transport Layer Security" and  there's a quite a good explanation of Opportunistic TLS on Wikipedia .  This is used for both Server to Server (eg MTA to MTA) and Client to server (Eg a Message client like Outlook which acts as a MSA) the later being generally Authenticated. Basically it allows you to have a normal plain text SMTP conversation that is then upgraded to TLS using the STARTTLS verb. Not all servers will support this verb so if its not supported then a message is just sent as Plain text. TLS relies on PKI certificates and the administrative issue s that come around certificate management like expired certificates which is why I wrote th
All sample scripts and source code is provided by for illustrative purposes only. All examples are untested in different environments and therefore, I cannot guarantee or imply reliability, serviceability, or function of these programs.

All code contained herein is provided to you "AS IS" without any warranties of any kind. The implied warranties of non-infringement, merchantability and fitness for a particular purpose are expressly disclaimed.