Exchange Mailbox Audit Log Event ID 25004

SourceExchange (LOGbinder EX)
LogMailbox Audit
Windows Security Log
Category
 • Subcategory
Object Access
 • Application Generated
Type Success
Failure

25004: Operation HardDelete - Delete Exchange mailbox item permanently from Recoverable Items folder

This is an event from Exchange audit event from LOGbinder EX generated by Log  Mailbox Audit.

On this page

Exchange HardDelete action.

Free Security Log Resources by Randy

Description Fields in 25004

Field Description
Occurred Date and time when Exchange registered the cmdlet.
Operation Operation performed on the mailbox.
Result Result of the operation:
  • Failed
  • PartiallySucceeded
  • Succeeded
Originating server The host name of the server.
Mailbox GUID Destination of move or copy (if applicable) - Mailbox's Globally Unique Identifier.
Mailbox owner Mailbox user resolved name in the format DOMAIN\SamAccountName.
Mailbox owner UPN Destination of move or copy (if applicable) - Mailbox owner's User Principal Name.
Mailbox owner SID Destination of move or copy (if applicable) - Mailbox owner's SID (Security Identifier).
Folder ID ID of affected folder (if applicable).
Folder name Name of affected folder (if applicable).
Performed user name Display name of the user who performed the operation.
Performed user SID SID of the user who performed the operation.
Performed logon type Logon type of the user who performed the operation. Logon types include:
  • Owner
  • Delegate
  • Admin
Client info Details that identify which client or Exchange component performed the operation.
Client IP address IP address of the client (e.g. Outlook).
Client process name Process name of the client application as reported by the client
Client version Version of the client application as reported by the client.
Item ID ID of affected item (if applicable).
Item subject Subject of affected item (if applicable).
Additional information Additional information, if any (otherwise "n/a").

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Where Does This Event Come From?

This Event Is Produced By

Which Integrates with Your SIEM

Examples of 25004

Delete Exchange mailbox item permanently from Recoverable Items folder
Occurred: 1/20/2013 4:24:42 AM
Operation: HardDelete
Result: Succeeded
Originating server: SP2010-EX1 (14.02.0328.009)
Mailbox
  GUID: 9db94f90-97cb-425d-b6c8-48200020026f
  Owner: n/a
  Owner UPN: Administrator@sp2010.com
  Owner SID: S-1-5-21-2141518605-3280587107-2299868870-500
Folder
  ID: LgAAAACU/6drttwpRpk7rpQBqwiWAQB2IQyARlr2Rb5
WUIGWRjQaAAAAbBrBAAAB
  Folder: \Recoverable Items\Deletions
Performed By
  User name: Administrator
  User SID: S-1-5-21-2141518605-3280587107-2299868870-500
  Logon type: Owner
Client
  Info: Client=OWA
  IP address: 10.42.1.36
  Process name: n/a
  Version: n/a
Item
  ID: n/a
  Subject: n/a
Additional information: Owner= [Administrator]; LastAccessed= [2013-01-20T04:24:42.0595725-05:00]; LogonType= [Owner]; CrossMailboxOperation= [false]; SourceItems/Item/Id= [ RgAAAACU/6drttwpRpk7rpQBqwiWBwB2IQyARlr2Rb5
WUIGWRjQaAAAAbBrBAAB2IQyARlr2Rb5WUIGWRjQaAAAjvQ7qAAAJ]; SourceItems/Item/Subject= [ another bogus email]; SourceItems/Item/FolderPathName= [ \Recoverable Items\Deletions]

For more information, see http://logbinder.com/support

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources