Exchange Mailbox Audit Log Event ID 25004
25004: Operation HardDelete - Delete Exchange mailbox item permanently from Recoverable Items folder
This is an event from
Exchange
audit event from
LOGbinder EX
generated by
.
On this page
Exchange HardDelete action.
Free Security Log Resources by Randy
Field |
Description |
Occurred |
Date and time when Exchange registered the cmdlet. |
Operation |
Operation performed on the mailbox. |
Result |
Result of the operation:
- Failed
- PartiallySucceeded
- Succeeded
|
Originating server |
The host name of the server. |
Mailbox GUID |
Destination of move or copy (if applicable) - Mailbox's Globally Unique Identifier. |
Mailbox owner |
Mailbox user resolved name in the format DOMAIN\SamAccountName. |
Mailbox owner UPN |
Destination of move or copy (if applicable) - Mailbox owner's User Principal Name. |
Mailbox owner SID |
Destination of move or copy (if applicable) - Mailbox owner's SID (Security Identifier). |
Folder ID |
ID of affected folder (if applicable). |
Folder name |
Name of affected folder (if applicable). |
Performed user name |
Display name of the user who performed the operation. |
Performed user SID |
SID of the user who performed the operation. |
Performed logon type |
Logon type of the user who performed the operation. Logon types include:
|
Client info |
Details that identify which client or Exchange component performed the operation. |
Client IP address |
IP address of the client (e.g. Outlook). |
Client process name |
Process name of the client application as reported by the client |
Client version |
Version of the client application as reported by the client. |
Item ID |
ID of affected item (if applicable). |
Item subject |
Subject of affected item (if applicable). |
Additional information |
Additional information, if any (otherwise "n/a"). |
Setup PowerShell Audit Log Forwarding in 4 Minutes
This Event Is Produced By
Which Integrates with Your SIEM
Delete Exchange mailbox item permanently from Recoverable Items folder
Occurred: 1/20/2013 4:24:42 AM
Operation: HardDelete
Result: Succeeded
Originating server: SP2010-EX1 (14.02.0328.009)
Mailbox
GUID: 9db94f90-97cb-425d-b6c8-48200020026f
Owner: n/a
Owner UPN: Administrator@sp2010.com
Owner SID: S-1-5-21-2141518605-3280587107-2299868870-500
Folder
ID: LgAAAACU/6drttwpRpk7rpQBqwiWAQB2IQyARlr2Rb5
WUIGWRjQaAAAAbBrBAAAB
Folder: \Recoverable Items\Deletions
Performed By
User name: Administrator
User SID: S-1-5-21-2141518605-3280587107-2299868870-500
Logon type: Owner
Client
Info: Client=OWA
IP address: 10.42.1.36
Process name: n/a
Version: n/a
Item
ID: n/a
Subject: n/a
Additional information: Owner= [Administrator]; LastAccessed= [2013-01-20T04:24:42.0595725-05:00]; LogonType= [Owner]; CrossMailboxOperation= [false]; SourceItems/Item/Id= [ RgAAAACU/6drttwpRpk7rpQBqwiWBwB2IQyARlr2Rb5
WUIGWRjQaAAAAbBrBAAB2IQyARlr2Rb5WUIGWRjQaAAAjvQ7qAAAJ]; SourceItems/Item/Subject= [ another bogus email]; SourceItems/Item/FolderPathName= [ \Recoverable Items\Deletions]
For more information, see http://logbinder.com/support
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection