A user has granted editor access to his calendar to several people and claims that someone has been maliciously deleting his appointments. He found them in his Deleted Items folder and put them back where they belong. Is there a way to find out who deleted these appointments?
This smells fishy to me. If the appointments were in the user's own Deleted Items folder, either the user himself deleted them or someone has access to much more of that user's mailbox than just the Calendar folder.
The typical scenario for a delegate ("User A") is not to have Write permission to the Calendar owner's (User B's) Deleted Items. In that case, anything User A deletes from User B's Calendar would go into User A's own Deleted Items folder.
However, if User A (the delegate) has Write permission to User B's Deleted Items folder as well as User B's Calendar, any appointment that User A deletes from User B's Calendar will go into User B's Deleted Items folder. This could be the case if User B granted User A Write permission on the Deleted Items folder as well as the Reviewer role on the top level of User B's mailbox. This behavior could also occur if the administrator granted User A full access to User B's mailbox or if User A inherited permissions from a parent object that included full access to User B's mailbox.
A quick check of the permissions on the Deleted Items folder and on the mailbox as a whole should tell you who can delete items from User B's Calendar so that they show up in User B's Deleted Items. My guess is that the only person with such permissions will turn out to be ... User B himself. Even if you do find that someone else has Write permission on the Deleted Items folder or the mailbox, Outlook doesn't track who deletes what, so even the most paranoid users can never know for sure who deleted an item.
