question

GarethDavies-6974 avatar image
1 Vote"
GarethDavies-6974 asked EnterpriseArchitect commented

Track use of distribution groups

I am in the process of cleaning up an inherited AD setup. Previous admins (and managers for that matter) did not follow any of the recommended standards when it came to structure so it is challenging.
Part of this clean up is establishing if distribution groups and mail enabled security groups are being used for email. Problem is, if I try to search for messages sent to these groups using message trace they all come back saying nothing has been sent to them, even though I know I have sent test messages to some of them.
I went into Powershell and tried using Get-MessageTrace and Get-MessageTrackingLog but I get weird results.
Get_MessageTrace returns the same number for every group, Get-MessageTrackingLog returs zero for every group. Message Tracking log is enabled.

The code I am using is: Get-MessageTrackingLog -start "12/01/2020 12:00:00" -End "12/10/2020 12:00:00" -Recipients "group email address" | measure-object
Results for this:
47406-image.png even though I have sent several test messages to the target group used to test the code

and Get-MessageTrace -Status expanded -startdate (get-date).AddDays(-10) -EndDate (Get-Date) | group <group email address> | select name,count

Results:
47463-image.png

This number changed depending on the number of days, but EVERY group gives the exact same result, even a test group I created yesterday that only I am a member of that has received zero email

What am I missing here?


windows-server-powershelloffice-exchange-server-administrationoffice-exchange-server-mailflow
image.png (2.5 KiB)
image.png (777 B)
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image RichMatheisen-8856 ·

Remove the -Recipients parameter and use -EventID instead. Look for EXPAND event IDs and then see what you get. You can check the data in the columns of the file and fine-tune your parameter set using what you find.

I retired six years ago and haven't touched an Exchange server since then, so things are growing dimmer -- but are you using the SMTP address of the group in question as the "<group email address>"?

1 Vote 1 ·
GarethDavies-6974 avatar image GarethDavies-6974 RichMatheisen-8856 ·

I'm not sure I understand how this would help.
Removing the -Recipients parameter would mean I get results for all groups, number of messages received by any group in the timeframe I specify, which would be of no use. Without setting the results limit above the default 1000 all it does is return the number 1000. I am looking for the use of specific groups so I have to use -Recipients or at least filter it in some way
Yes, I am using the smtp address

1 Vote 1 ·
EnterpriseArchitect avatar image EnterpriseArchitect GarethDavies-6974 ·

Yes, me too, I'm facing the issue with the result always returning 1000

177334-image.png


0 Votes 0 ·
image.png (25.2 KiB)

2 Answers

AshokM-8240 avatar image
1 Vote"
AshokM-8240 answered AshokM-8240 commented

Hi,

Are you using Exchange server on-premise or office 365?

For Exchange on-premise, please try the below command to check the number of emails sent to the distribution groups,

Get-TransportService | Get-MessageTrackingLog -Start <starttime> -End <endtime> | ? {$_.RelatedRecipientAddress -like "distributiongroup@domain.com"} | measure-object | fl count

Messagetrackinglog maxage is 30days by default. To increase, please check https://docs.microsoft.com/en-us/exchange/mail-flow/transport-logs/configure-message-tracking?view=exchserver-2019

For Office365,

Get-MessageTrace -StartDate <starttime> -EndDate <endtime> -RecipientAddress "distributiongroup@domain.com" | measure-object | fl count

Get-MessageTrace will return results for 10days in Office365 and to get data for 90 days, use Start-HistoricalSearch and Get-HistoricalSearch. Alternatively, Message trace under Security & Compliance Center can be used to retrieve results for 90days.

Start-HistoricalSearch -ReportTitle "DL Name" -StartDate MM/DD/YYYY -EndDate MM/DD/YYYY -ReportType MessageTrace -RecipientAddress DLemailaddress -NotifyAddress admin@yourdomain.com

Get-HistoricalSearch

Message trace in the Security & Compliance Center:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/message-trace-scc?view=o365-worldwide

If the above suggestion helps, please click on "Accept Answer" and upvote it

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AshokM-8240 avatar image AshokM-8240 ·

Hi,

Just to check if there are any updates. If the above suggestion helps, please click on "Accept Answer" and upvote it. Thanks for understanding.

0 Votes 0 ·
YukiSun-MSFT avatar image
1 Vote"
YukiSun-MSFT answered YukiSun-MSFT commented

Hi @GarethDavies-6974,

As far as I know, Get-MessageTrackingLog is available only in on-premises Exchange while the Get-MessageTrace cmdlet only works in the cloud-based service, so are you in a Hybrid setup with both Exchange Online and the on-prem Exchange in your environment?

If this describes your situation, based on my research, it's recommended to use message trace. I tried to run the get-messagetrace command in your post and it seems to me that the returned count is the number of emails sent to all the distribution lists. The command provided above by AshokM works at my end:

 Get-MessageTrace -StartDate (get-date).AddDays(-10) -EndDate (Get-Date)-RecipientAddress <group email address> | measure-object | fl count

47793-1.png

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1.png (7.2 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YukiSun-MSFT avatar image YukiSun-MSFT ·

@GarethDavies-6974,
I'd like to follow up to see if you have had a chance to read the replies above. Feel free to post back if you still have further questions on this. Thanks.

0 Votes 0 ·