How to search, and then delete a specific e-mail (Exchange 2010, 2013 and 2016)

  • Article

Introduction

To search in Exchange (aka eDiscover), you will need to define at minimum the following:

v  The mailboxes you want to search in (can be a couple of mailboxes, or all mailboxes – specify nothing if you use New-MailboxSearch or use Get-Mailbox -ResultSize Unlimited that you pipe in Search-Mailbox)

v  At least a search criteria, which can be

-        A Sender name or e-mail address

-        An attachment file name

-        A keyword in the subject only

-        A keyword in the whole e-mail (subject and body)

-        A combination of these …

v  A Discovery mailbox which can be thee Discovery Mailbox or any mailboxes you have Full Access to…

 

For the example in this How-To, I'll use the following :

§  Search in all mailboxes

§  Sender = Test.Canada@E2010Domain.com

§  Start Date (optional) = 01/01/2000

§  End Date (optional) = 01/01/2100

§  Result mailbox (aka Discovery Mailbox or any mailboxes which you have Full Mailbox Access Rights)

§  Directory to store search results in on the Result mailbox = DocStepXX-XX

 

I'll go through the search, estimate and delete process in 3 steps below:

-        Estimate only the searches

-        Search for the items and store them in a mailbox

-        Search and delete the found items

 

1.    Estimate only searches first using New-MailboxSearch

Example:

New-MailboxSearch -Name 'DocStep01' -TargetMailbox 'NCLSRestore' -StartDate '01/01/2000' -EndDate '01/01/2100' -SearchQuery "''" -ExcludeDuplicateMessages $false -ErrorAction Continue -Senders "Test.Canada@E2010Domain.com" -EstimateOnly

 

Note – The above cmdlet was generated with the help of my eDiscovery tool

clip_image001[10]

 

2.    Launch search using New-MailboxSearch without the "EstimateOnly" switch

 

2.1  Launching the command

Once we have determined that we have our correct search criteria (Sender, keywords, etc…) and that the results found are the ones we are looking for, we will launch another search to store the results in our Search Results mailbox.

Example:

New-MailboxSearch -Name 'DocStep02' -TargetMailbox 'NCLSRestore' -StartDate '01/01/2000' -EndDate '01/01/2100' -SearchQuery "''" -ExcludeDuplicateMessages $false -ErrorAction Continue -Senders "Test.Canada@E2010Domain.com"

 

The above was also generated with my tool, but is basically the same as the above without the -EstimateOnly switch:

clip_image003[10]

 

2.2 viewing the results

You have 2 ways to view the results : Get-MailboxSearch <SearchName> to see just how many items found and other stats (where SearchName in my above example is "DocStep02-02"), or directly in Outlook to see the actual details as well as the findings summary.

Note: about Get-MailboxSearch <SearchName>, you can use my tool I mention above, on the "Retrieve MailboxSearches" tab, "Get previous mailbox search" button (the name of the "previous" search has to be on the "Folder:" field of the "Search in mailboxes" tab, and must have been used with New-MailboxSearch) :

clip_image005[10]

 

As stated above, the search results will be stored on the Discovery mailbox or the mailbox you chose to store the results in – in my example above it's "NCLSRestore" mailbox. I gave the searching power user the Full Mailbox Access to "NCLSRestore", so that it appears automatically on my user's mailbox thanks to Exchange Auto-Mapping and Outlook's Autodiscover.

You'll see the restore mailbox on your folders' list pane, as well as the Folder that you chose to store the results in – you'll see all results will be stored in subfolders, named against each mailbox where results were found:

 

clip_image006[10]

 

You'll notice that you'll also have a mail on the root of that folder, which is a summary of your search and a few stats like what you get when you do a Get-MailboxSearch <SearchName>:

clip_image007[10]

 

The content is like:

clip_image009[10]

 

And on each subfolder corresponding to the mailboxes, you can view and if needed, export the results on PSTs from Outlook to give the results to the users.

clip_image011[10]

 

3.    Delete the found e-mails

Important Note: for that step, you will need the "Mailbox Import Export" management role ! See my article about how to grant yourself (or someone else) that role…

3.1  Launch the Search & Delete

For that step we have to use the "Search-Mailbox" cmdlet, with the -DeleteContent parameter, using the exact same query you used on the 2 above steps, to ensure that you delete exactly what you expect to delete and nothing else.

Example:

get-mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -ne "DiscoveryMailbox"} | Search-Mailbox -TargetMailbox 'NCLSRestore' -TargetFolder 'DocStep03' -SearchQuery "'' AND from:'Test.Canada@E2010Domain.com' AND Received:01/01/2000..01/01/2100" -Verbose -DeleteContent -Confirm:$false

 

The above was also generated with my tool:

clip_image013[10]

 

3.2  Check your items are not there anymore

We'll just use the "New-MailboxSearch" here with the -EstimateOnly switch to confirm our items are gone.

NOTE: you must wait a little after items deletions as these cmdlets rely on the Exchange Database Indexes => these take a little time to update, so if you check too early, you might see the results even if these are effectively gone. Also check your Exchange Content Index health (get-mailboxdatabasecopystatus), they all must be in a "Healthy" state.

New-MailboxSearch -Name 'DocStep04-check01' -TargetMailbox 'NCLSRestore' -StartDate '01/01/2000' -EndDate '01/01/2100' -SearchQuery "''" -ExcludeDuplicateMessages $false -ErrorAction Continue -Senders "Test.Canada@E2010Domain.com" -EstimateOnly

 

The above was also generated with my tool:

clip_image015[10]

 

Use Get-MailboxSearch <SearchName> where in the above example SearchName is the name specified on "Folder:", in my example "DocStep04-check01".

Or use my above mentioned tool, the "Retrieve Mailbox Searches" tab:

clip_image016[10]

 

3.3  Known issues

Sometimes, it can happen that there are too many mailboxes to Search and Delete, and PowerShell reaches some memory/buffer limit and your Search & Destroy fails. If it's the case, we have to tweak a little bit the command line we used on 3.1 (that I generated using my tool).

My approach was to store all mailboxes we want to delete things from in a PowerShell variable, and then use a ForEach ($Mailbox in $AllMyMailboxes) {Search and Delete} – which takes considerably more time than if we can pipe everything (like Get-Mailbox -ResultSize unlimited) once and for all. We can mitigate that by doing a nested Foreach and store 10 mailboxes by 10 mailboxes in a temporary variable and pipe these batches to a Search-Mailbox…

 

Anyways the basic workaround will then look like this, parsing each mailbox one by one:

-        First store all mailboxes in a variable

AllMyMailboxes = get-mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -ne "DiscoveryMailbox"}

 

-        Second with your Foreach loop, parse each mailbox and launch a Search an Delete – NOTE: you must use the -Force parameter with Search-Mailbox to avoid being prompted "Are you sure [Y]/[A]/[N] for each mailbox…)

ForEach ($Mailbox in $MyMailboxes) {

    Search-Mailbox -SourceMailbox $Mailbox -TargetMailbox 'NCLSRestore' -TargetFolder 'DocStep03' -SearchQuery "'' AND from:'Test.Canada@E2010Domain.com' AND Received:01/01/2000..01/01/2100" -Verbose -DeleteContent -Confirm:$false -Force

}