Storytelling is a venerable human trait. Instead of swapping hunting stories around a primitive campfire, IT professionals tend to exchange their war stories at trade shows or via email. Recently, a customer told me a story that I think highlights some interesting aspects of day-to-day Exchange Server management.
First, you need to know the players. Alice was a senior Help desk technician. Bob was her boss. Carol was a senior executive, and Dave was a junior Help desk tech.
One day, for some reason known only to herself, Alice composed, and then sent, a profanity-laden rant to Carol and copied several other managers. Alice realized her mistake fairly quickly and contacted Dave. She asked him to delete the offending email message from Carol's Inbox. Here's where things get interesting.
As directed, Dave used the service account for the backup software to log on to Carol's mailbox and remove the offending email message. Unfortunately, Carol had already seen the message and replied to it, as had several of the other addressees. Dave subsequently deleted the message from the other addressees' mailboxes as well, but it was too late. The cat was out of the bag.
Bob was out of town while this transpired. When he returned, he had to deal with an angry Carol, a fearful Dave, and Alice, who had tried to cover her tracks by trimming her 8GB mailbox down to a few hundred megabytes. After an investigation, which didn't take long given the blatant nature of Alice's misconduct, Alice was fired, Dave received a reprimand, and Bob took a lot of antacids.
What's interesting about this case? If the story were only about poor self-control on the part of a frustrated email sender, it wouldn't be worth retelling; we've all been there at one time or another. However, this story points out some things you should evaluate in your own environment:
- If you use a service account that has access to multiple mailboxes, you should guard it and audit its use. If a junior technician has the password, there's no telling who else might have it or what they might be doing with it. Better still, consider using Microsoft Volume Shadow Copy Service (VSS)-based solutions that don't require access to individual mailboxes.
- Dave should have known better than to accept a request to tamper with someone's mailbox, even though Alice was senior to him. Do your junior employees have clear guidelines for what they can and can't do to other users' mailboxes? Does your management culture back up those guidelines with support for people who refuse to violate them?
- Carol was rightly suspicious after the offending message disappeared from her mailbox. If senior executives at your organization ever have reason to doubt the integrity of your messaging system or its administrators, it will be difficult for you to restore credibility.
- Alice's sudden purging of her mailbox was suspicious, too. Naturally, Bob wanted to know what might have been deleted, so he restored the mailbox database to a recovery storage group and copied its contents for inspection. An alternate solution would have been to use a tool that can directly mount mailboxes from a dismounted .edb file, but in this case the built-in tools served their purpose.
- Because this organization was using Exchange Server 2003, they didn't have an effective way to do cross-mailbox searches without using a third-party product. This made the investigation into Alice's deeds a bit more complicated; if she had been involved in other wrongdoing, the inability to find content might have been more of a problem.
As Shakespeare said, all's well that ends well, and in this story justice was served. This kind of thing happens more often than you would think, and it makes sense to be prepared so that if it happens in your organization you'll be able to resolve the problem quickly, fairly, and accurately.