Track use of distribution groups

Question

I am in the process of cleaning up an inherited AD setup. Previous admins (and managers for that matter) did not follow any of the recommended standards when it came to structure so it is challenging.
Part of this clean up is establishing if distribution groups and mail enabled security groups are being used for email. Problem is, if I try to search for messages sent to these groups using message trace they all come back saying nothing has been sent to them, even though I know I have sent test messages to some of them.
I went into Powershell and tried using Get-MessageTrace and Get-MessageTrackingLog but I get weird results.
Get_MessageTrace returns the same number for every group, Get-MessageTrackingLog returs zero for every group. Message Tracking log is enabled.

The code I am using is: Get-MessageTrackingLog -start "12/01/2020 12:00:00" -End "12/10/2020 12:00:00" -Recipients "group email address" | measure-object
Results for this:
even though I have sent several test messages to the target group used to test the code

and Get-MessageTrace -Status expanded -startdate (get-date).AddDays(-10) -EndDate (Get-Date) | group <group email address> | select name,count

Results:

This number changed depending on the number of days, but EVERY group gives the exact same result, even a test group I created yesterday that only I am a member of that has received zero email

What am I missing here?

Answer 1

Hi,

Are you using Exchange server on-premise or office 365?

For Exchange on-premise, please try the below command to check the number of emails sent to the distribution groups,

Get-TransportService | Get-MessageTrackingLog -Start <starttime> -End <endtime> | ? {$_.RelatedRecipientAddress -like "distributiongroup@keyman .com"} | measure-object | fl count

Messagetrackinglog maxage is 30days by default. To increase, please check https://learn.microsoft.com/en-us/exchange/mail-flow/transport-logs/configure-message-tracking?view=exchserver-2019

For Office365,

Get-MessageTrace -StartDate <starttime> -EndDate <endtime> -RecipientAddress "distributiongroup@keyman .com" | measure-object | fl count

Get-MessageTrace will return results for 10days in Office365 and to get data for 90 days, use Start-HistoricalSearch and Get-HistoricalSearch. Alternatively, Message trace under Security & Compliance Center can be used to retrieve results for 90days.

Start-HistoricalSearch -ReportTitle "DL Name" -StartDate MM/DD/YYYY -EndDate MM/DD/YYYY -ReportType MessageTrace -RecipientAddress DLemailaddress -NotifyAddress admin@yourdomain.com

Get-HistoricalSearch

Message trace in the Security & Compliance Center:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/message-trace-scc?view=o365-worldwide

If the above suggestion helps, please click on "Accept Answer" and upvote it

Answer 2

Hi @Gareth Davies ,

As far as I know, Get-MessageTrackingLog is available only in on-premises Exchange while the Get-MessageTrace cmdlet only works in the cloud-based service, so are you in a Hybrid setup with both Exchange Online and the on-prem Exchange in your environment?

If this describes your situation, based on my research, it's recommended to use message trace. I tried to run the get-messagetrace command in your post and it seems to me that the returned count is the number of emails sent to all the distribution lists. The command provided above by AshokM works at my end:

Get-MessageTrace -StartDate (get-date).AddDays(-10) -EndDate (Get-Date)-RecipientAddress <group email address> | measure-object | fl count  

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

How we can get the last 2 or 3 years' mail count?