today I’m giving you a tool that proved its usefulness along the past couple of years for customers of mine. It works on Exchange 2013, Exchange 2016, and on Exchange Online from Office 365 from where it was designed: an Exchange Search (eDiscovery) tool that generates and executes Search-Mailbox (“single mailbox search”) or New-MailboxSearch (“multi-mailbox search”) cmdlets (you choose) with the most common options and search requests.
Some might ask me, why this tool, we already have the HTML based Compliance and eDiscovery page within the EAC? Here are the thoughts that let me to come up with this tool…
Here are a few challenges we found with HTML based interfaces:
- we have to be logged in an Exchange Control Panel or Exchange Admin Center to get to the eDiscovery interface, then sometimes wait for the page rendering on slower connections
- we don’t necessarily clearly see or understand when we’re using Search-Mailbox (single mailbox search, provides ability to delete unwanted or malicious mails provided admin has the Mailbox Import Export permissions) or New-MailboxSearch (multi-mailbox search, but we can’t delete mails with it)
- we don’t see the underlying Powershell command line and options that are used
- we cannot choose any mailboxes to use as “Discovery Mailboxes”,
- some other limitations inherent to HTML based interfaces that doesn’t come in mind as I am writing this note…
Here are a few challenges with Powershell only Search-Mailbox / New-MailboxSearch:
- It’s easy to make typo mistakes
- we don’t necessarily have the cmdlet parameters handy to quickly perform a search or a mailbox purge – well you should know the “get-help” cmdlet with the –Full / –Details or –Examples parameters to get what you want.
- some IT administrators are simply not very used to or fond of the command line…
… this Graphical User Interface (I’ll refer to this as “GUI” from now on) that guides you in the type of search you wish to perform, including purging unwanted or malicious e-mails from users mailboxes, and also including the ability to dynamically generate the Powershell command line as you graphically define your search / purge options.
Some dreamt about it, I made it real and sharing it here.
Credits for starting point
Initially I begun to start from scratch, but then I found a mate who did a simple interface using Search-Mailbox only, I then expanded this example to include a real-time cmdlet generator that you can copy/paste in another Exchange Management Shell window or on a documentation for future references, and also included the choice to use either Search-Mailbox or New-MailboxSearch, and also included tabs to connect to remote Exchange organizations (Exchange Online, or remote Exchange OnPrem for example), and tabs to get the search statistics details, etc…
BIG THANKS TO PRATEEK SINGH
His script gave me the base for this application:
Based this tool on a script from the great Prateek Singh : http://en.gravatar.com/almostit - great guy !
And the page of his script is here:
Quick Users Guide
If you are not running the tool from an Exchange Management Shell already, you can either:
- Connect to your Office 365 Exchange tenant by clicking on the “Connect to Exchange” button (check that the below label says “O365 Exchange”
- connect to an On-Premise (local) Exchange environment by checking the “On-Premise Exchange” box and fill in the Exchange environment’s URL
Figure 1 - Connect to O365 tenant
Figure 2 - Connect to On-Premise Exchange 2010, 2013 or 2016
NOTE: if you run the tool from an Exchange Management Shell window, you won’t have to connect – you’ll already be connected, and the tool will show it to you ! But you can still use the “Connect to Exchange” button to connect either to another Exchange tenant/environment, or connect using other user’s credentials.
Ø Then check the rights you have by checking the “Connection Status” information:
Figure 3 - Connected to Exchange, but no Discovery Management rights
As you see above, you are connected to Exchange (i.e. you have the main Exchange Powershell cmdlets available), but you don’t have the rights to search (need the “Discovery Management” RBAC role membership) => you won’t be able to execute any Mailbox search commands.
Figure 4 - Connected to Exchange, have Discovery Management rights, but no Mailbox Import Export rights mandatory to be able to purge searched items from source mailbox
Here you can see that you can definitely search using all options from the tool (Search-Mailbox, and New-MailboxSearch). You just cannot purge e-mails from mailboxes.
Figure 5 - Discovery Management + delete with Search-Mailbox rights brought by Mailbox Import Export rights
And finally the green status above shows that you can search for mail, but you can also purge the mails that you searched for if needed (for example to remove any sensitive e-mails that mailboxes shouldn’t have received, or remove any malicious e-mails, …)
This is the core of the tool – you can launch e-mail searches.
- Specify as many mailboxes to search in as you want (can be email addresses, display names, aliases, or a mix of all of these)
NOTE: New-MailboxSearch is just limited to 10,000 mailboxes so the alternative is either to use Search-Mailbox (uncheck the blue highlighted checkbox) or to do several searches with 10,000 mailboxes each.
- View the corresponding search command line that builds up as you type – you can even copy/paste it in any Exchange Management Shell window or in a document …
- Default checked boxes will use New-MailboxSearch, and only estimate the number of findings and their sizes
NOTE: Uncheck the “Estimate only” check box to copy the e-mails from searches results on the Discovery Mailbox.
NOTE: only the “Search-Mailbox” method enable purging e-mails from a source mailbox (for example in case of a phishing e-mail, or a sensitive e-mail that has been sent to many users by mistake, or a mail with malicious links, etc…)
Figure 6 - Exchange eDiscovery aka Search interface with search options and dynamic Exchange Powershell command line
NOTE: By default, the “Search a bit quicker using New-MailboxSearch (cannot delete mail)” check box will be checked, along with the “Estimate only” check box.
Just click on the “Get previous mailbox search” button to check when the Exchange server will have the search complete. The other button will show the status of all previous searches (only the ones performed with “New-MailboxSearch” – see previous Tab):
Figure 7 - Getting New-MailboxSearch progress on server side...
This tab enables you to retrieve the statistics of searches, and as a bonus, will give you the link to connect directly, using OWA, to the Discovery Mailbox used for that given search.
Note that just like the previous Tab, these information are retrieved for the searches performed with the New-MailboxSearch cmdlet:
Figure 8 - Getting search statistics and Discovery Mailbox OWA link...
Download the tool here…