Administrators have always needed a flexible way to search for content simultaneously across multiple mailboxes. Here are a few scenarios requiring cross-mailbox search, and how the ‘export-mailbox’ command can be used to get the desired results.
Scenario 1: LEGAL DISCOVERY: The administrator needs a way to extract messages from multiple users’ mailboxes which contain certain keywords in the subject and/or body for Legal Discovery purposes. In this case, the content found does not need to be deleted, but only extracted to a single target mailbox.
Solution: The administrator will need to use the Export-Mailbox task from the Exchange Management Shell with the –TargetFolder and –TargetMailbox parameters:
PS> get-mailbox –Database DB1 | Export-Mailbox –SubjectKeywords “Discovery Keywords” –TargetMailbox Administrator –TargetFolder ‘MyData’
This will search through all mailboxes on the Mailbox Database DB1 for messages containing the words “Discovery” and “Keywords” in the Subject field and copy these to a folder named MyData in the Administrator’s mailbox. A folder will be created for each user mailbox which had matching messages under the “MyData” folder, using the following naming convention: “Recovered Data – <MailboxAlias> – <Timestamp>”
Scenario 2: VIRUS THREAT RESPONSE: The administrator needs the ability to rapidly scan a large number of messages across multiple user mailboxes based on specific criteria to identify suspect messages that may be infected by a virus, and perform mass deletion of such email. In this case, the administrator is not required to keep copies of the deleted emails.
Solution: The administrator will need to use Export-Mailbox with the –TargetMailbox,-TargetFolder, and –DeleteContent parameters as follows
PS> get-mailbox | Export-Mailbox –ContentKeywords “Virus message” –TargetMailbox Administrator –TargetFolder ‘MyData’ –DeleteContent
This will search through all mailboxes in the organization for messages containing the words “Virus message” in the body and copy them to a folder named MyData in the Administrator’s mailbox, and delete the original message from the source mailboxes. The administrator can then delete all the messages under “My Data” to ensure that the suspect virus messages are eliminated. In order to delete the items, you will have to use the deletcontent parameter.
NOTE: To run the Export-Mailbox cmdlet on a computer that has the Mailbox server role installed, you must log on by using a domain account that has the permissions assigned to the Exchange Server Administrators group on the source server and the target server. The account must also be a member of the local Administrators group on that computer. You cannot export data from a mailbox in one forest to a mailbox in a different forest. The source and target mailboxes must be in the same forest
For a complete listing of the search criteria that can be used as filters, and other options for the export-mailbox command, please type “Get-help Export-Mailbox” from the Exchange Management Shell. Alternatively, check the Exchange Server 2007 documentation online.