Exchange Mailbox Audit Log Event ID 25007

SourceExchange (LOGbinder EX)
LogMailbox Audit
Windows Security Log
Category
 • Subcategory
Object Access
 • Application Generated
Type Success
Failure

25007: Operation MoveToDeletedItems - Move Exchange mailbox item to Deleted Items folder

This is an event from Exchange audit event from LOGbinder EX generated by Log  Mailbox Audit.

On this page

Exchange MoveToDeletedItems action.

Free Security Log Resources by Randy

Description Fields in 25007

Field Description
Occurred Date and time when Exchange registered the cmdlet.
Operation Operation performed on the mailbox.
Result Result of the operation:
  • Failed
  • PartiallySucceeded
  • Succeeded
Originating server The host name of the server.
Mailbox GUID Destination of move or copy (if applicable) - Mailbox's Globally Unique Identifier.
Mailbox owner Mailbox user resolved name in the format DOMAIN\SamAccountName.
Mailbox owner UPN Destination of move or copy (if applicable) - Mailbox owner's User Principal Name.
Mailbox owner SID Destination of move or copy (if applicable) - Mailbox owner's SID (Security Identifier).
Folder ID ID of affected folder (if applicable).
Folder name Name of affected folder (if applicable).
Performed user name Display name of the user who performed the operation.
Performed user SID SID of the user who performed the operation.
Performed logon type Logon type of the user who performed the operation. Logon types include:
  • Owner
  • Delegate
  • Admin
Client info Details that identify which client or Exchange component performed the operation.
Client IP address IP address of the client (e.g. Outlook).
Client process name Process name of the client application as reported by the client
Client version Version of the client application as reported by the client.
Destination folder ID Destination of move or copy (if applicable) - folder's ID.
Destination folder name Destination of move or copy (if applicable) - folder's name.
Items Item(s) affected by operation.
Additional information Additional information, if any (otherwise "n/a").

Supercharger Free Edition


Centrally manage WEC subscriptions.

Free.

 

Where Does This Event Come From?

This Event Is Produced By

Which Integrates with Your SIEM

Examples of 25007

Move Exchange mailbox item to Deleted Items folder
Occurred: 1/20/2013 4:29:47 AM
Operation: MoveToDeletedItems
Result: Succeeded
Originating server: SP2010-EX1 (14.02.0328.009)
Mailbox
  GUID: 9db94f90-97cb-425d-b6c8-48200020026f
  Owner: n/a
  Owner UPN: Administrator@sp2010.com
  Owner SID: S-1-5-21-2141518605-3280587107-2299868870-500
Folder
  ID: LgAAAACU/6drttwpRpk7rpQBqwiWAQB2IQyARlr2Rb5WUIG
WRjQaAAAAbBpzAAAB
  Folder: \Inbox
Performed By
  User name: Administrator
  User SID: S-1-5-21-2141518605-3280587107-2299868870-500
  Logon type: Owner
Client
  Info: Client=WebServices;UserAgent=OwaProxy
  IP address: 10.42.1.36
  Process name: n/a
  Version: n/a
Destination Folder
  ID: LgAAAACU/6drttwpRpk7rpQBqwiWAQB2IQyARlr2Rb5WUIG
WRjQaAAAAbBp2AAAB
  Folder: \Deleted Items
Items:
Additional information: Owner= [Administrator]; LastAccessed= [2013-01-20T04:29:47.9795815-05:00]; LogonType= [Owner]; CrossMailboxOperation= [false]; SourceItems/Item/Id= [ RgAAAACU/6drttwpRpk7rpQBqwiWBwB2IQyARlr2Rb5WUIG
WRjQaAAAAbBpzAAB2IQyARlr2Rb5WUIGWRjQaAAAjvO+tAAAJ]; SourceItems/Item/Subject= [ testing]; SourceItems/Item/FolderPathName= [ \Inbox]

For more information, see http://logbinder.com/support

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources