16
Page 1 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox | 7#7 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Recovering deleted mail items using PowerShell cmdlets Search-Mailbox | 7#7 In the current article, we will review the use of the PowerShell cmdlets Search-Mailbox that we can use for searching and recovering specific mail items. The PowerShell cmdlets Search-Mailbox is the “older sister” of the newer PowerShell cmdlets New-MailboxSearch. Booth of this PowerShell cmdlets, was designed for providing the Exchange administrator the powerful capability of creating a multiple mailbox search + the

Recovering deleted mail items using PowerShell cmdlets Search-Mailbox | 7#7

Embed Size (px)

DESCRIPTION

Recovering deleted mail items using PowerShell cmdlets Search-Mailbox | 7#7 http://o365info.com/recovering-deleted-mail-items-using-powershell-cmdlets-search-mailbox-part-7-7 In the current article, we will review the use of the PowerShell cmdlets Search-Mailbox that we can use for searching and recovering specific mail items. The PowerShell cmdlets Search-Mailbox is the “older sister” of the newer PowerShell cmdlets New-MailboxSearch. Booth of this PowerShell cmdlets, was designed for providing the Exchange administrator the powerful capability of creating a multiple mailbox search + the ability to copy (recover) the search result to “other store” such as the Discovery Search Mailbox or any other Exchange mailbox. Eyal Doron | o365info.com

Citation preview

Page 1 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

Recovering deleted mail items using

PowerShell cmdlets Search-Mailbox |

7#7

In the current article, we will review the use of the PowerShell cmdlets

Search-Mailbox that we can use for searching and recovering specific mail items.

The PowerShell cmdlets Search-Mailbox is the “older sister” of the newer

PowerShell cmdlets New-MailboxSearch.

Booth of this PowerShell cmdlets, was designed for providing the Exchange

administrator the powerful capability of creating a multiple mailbox search + the

Page 2 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

ability to copy (recover) the search result to “other store” such as the Discovery

Search Mailbox or any other Exchange mailbox.

A little bit history

The ability to perform multiple mailbox search was first presented in Exchange

2010. This ability was based on the PowerShell cmdlets – Search-Mailbox

In Exchange 2013 the term – “Multiple mailbox search” was replaced by the term –

in-place eDiscovery & hold.

The in-place eDiscovery & hold infrastructure include more capabilities and

features, and it’s based on a new PowerShell cmdlets named-

New-MailboxSearch.

In other words, we can say that the Exchange in-place eDiscovery & hold

management interface is the graphical interface for the PowerShell cmdlets

New-MailboxSearch.

Because the New-MailboxSearch is “newer” or more advanced, logically we can

assume that these PowerShell cmdlets include all of the capabilities of the “former”

PowerShell cmdlets –Search-Mailbox + new capabilities.

This assumption is partially correct because the Interesting thing is that the “older”

PowerShell cmdlets Search-Mailbox, still has capabilities that are not available in

the newer PowerShell cmdlets New-MailboxSearch.

The abilities that are included in the PowerShell cmdlets Search-Mailbox and

doesn’t include in the newer PowerShell cmdlets New-MailboxSearch) are:

Page 3 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

1. Search and delete (search and destroyed)

This ability referred sometimes as “search and destroy”. The part of “searching”

multiple Exchange mailboxes is the first part. The second part is –“what to do with

the search results?”.

When using the PowerShell cmdlets Search-Mailbox we can decide to delete the

search results instead of copy or recovering the search results.

If the option of “delete mail items” based upon the search result seems strange to

you, consider a scenario in which your organization was infected by a virus that was

sent via the mail systems to the different organization recipient.

You want to be able to find all the recipients that got the infected mail + delete the

mail items that are infected by the virus.

Note – in the current article, we will not review the option of using the PowerShell

cmdlets Search-Mailbox for deleting mail items.

2. Search scope – folder based

An Interesting capability of the PowerShell cmdlets Search-Mailbox is the ability

to define a specific mailbox folder as a parameter for the search.

This ability can be implemented using the standard mailbox folder such as – inbox

folder, sent items and so on and in addition; we can define the Recoverable Items

folder as a parameter of the search scope.

In other words, the PowerShell cmdlets Search-Mailbox enables us to restrict the

search only to the Recoverable Items folder and recovered (copy) the mail items in

this folder.

This option is very useful in a “recover mail scenarios” because in this case, we don’t

need to search and recover the “standard mailbox content, but instead, only mail

items located in the Recoverable Items folder.

Page 4 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

Recovering mail items using Search-Mailbox PowerShell

cmdlets | A two-stage process

Before we start with reviewing the specific syntax of the PowerShell

cmdlets Search-Mailbox it’s important to understand the logic and the structure

of this command.

The “flow” that is implemented by the PowerShell cmdlets Search-

Mailbox consisting of two phases:

Phase 1 – in this phase the Search-Mailbox command access the mailbox\s that

we have specified and start to look for mail items that “answers” the search query

parameters that we have to defend.

Page 5 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

Phase 2 – in this phase the Search-Mailbox command “fetch” the search results

(mail items) and copy them to the “destination mailbox”.

The “destination mailbox” could be the Exchange system Discovery Search mailbox

or any other mailbox that we choose.

Page 6 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

The four Search-Mailbox mandatory parameters

When using the PowerShell cmdlets Search-Mailbox, we will have to define four

mandatory parameters:

1. The mailbox or the mailboxes that want to search – we need to specify at

least one mailbox as the “source mailbox”.

2. The search query parameters – the search parameter can be very simple or

very complicated, we can choose to restrict the search based of date range,

specific keywords, specific folder, etc.

3. The “destination mailbox” – this is the mailbox that will serve as a “container”

for the copy of the mail items that form the search results.

4. The folder name who will “host” the copy of the search results – we need to

specify a name who will be used for the folder that will contain the copy of

the search results.

Page 7 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

Required permissions for using the Exchange PowerShell

cmdlets – Search-Mailbox

Using the Search-Mailbox cmdlets enable the user who performs the search

(Exchange administrator or the user with the required permissions) to search and

view users data located at their mailboxes.

To be able to have this “ability” there is a need to assign the required permission to

the user who will use the

You need to be assigned the following management roles to search for and delete

messages in users’ mailboxes:

Mailbox Search – This role allows you to search for messages across multiple

mailboxes in your organization. Administrators aren’t assigned this role by

default. To assign yourself this role so that you can search mailboxes, add

yourself as a member of the Discovery Management role group. See Assign

eDiscovery permissions in Exchange.

Mailbox Import Export – This role allows you to delete messages from a user’s

mailbox. By default, this role isn’t assigned to any role group. To delete messages

from users’ mailboxes, you can add the Mailbox Import Export role to the

Organization Management role group. For more information, see the “Add a role

to a role group” section in Manage role groups .

Page 8 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

[Source of information – Search and delete messages]

Using the Search-Mailbox cmdlets scenarios

To demonstrate the different possibilities of using the Search-Mailbox cmdlets, we

will review a couple of optional scenarios.

Scenario 1

Scenario description:

We want to search and recover a mail item that answers the following parameters:

Mail items that are stored in a specific Exchange user mailbox.

Mail items that are stored in the Recoverable Items

folder (SearchDumpsterOnly).

In addition, create a detailed Log (LogLevel Full).

Copy mail items from the Recoverable Items folder to – Discovery

Search Mailbox

PowerShell command Syntax

PowerShell

Search-Mailbox <Identity> -SearchDumpsterOnly -TargetMailbox

<Destination mailbox> -TargetFolder <Folder name> -LogLevel Full

PowerShell command Example

PowerShell

Search-Mailbox John -SearchDumpsterOnly -TargetMailbox "Discovery

Search Mailbox" -TargetFolder <John recovered mail> -LogLevel Full

Scenario 2

Scenario description:

We don’t wish to recover mail items but instead, we just want to get a detailed

Page 9 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

report about all the mail items that reside in the Recoverable Items folder

We want to search (but not to recover) mail items that answer the following

parameters:

Mail items that are stored in a specific Exchange user mailbox.

Mail items that are stored in the Recoverable Items

folder (SearchDumpsterOnly).

Provide a report about deleted mail items

PowerShell command Syntax

PowerShell

Search-Mailbox <Identity> -SearchDumpsterOnly -TargetMailbox

<Destination mailbox> -TargetFolder <Folder name> -LogLevel Full -

LogOnly

PowerShell command Example

PowerShell

Search-Mailbox John -SearchDumpsterOnly -TargetMailbox “Discovery

Search Mailbox”-TargetFolder “David Deleted mail items” -LogLevel

Full -LogOnly

Scenario 3

Scenario description:

We want to search and recover mail items that answer the following parameters:

Mail items that are stored in all of the Exchange user mailboxes (Bulk search).

Mail items that are stored in the Recoverable Items

folder (SearchDumpsterOnly).

Recover deleted mail items form all user mailboxes (bulk mode)

PowerShell command Syntax

Page 10 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

PowerShell

Get-Mailbox -ResultSize Unlimited |Search-Mailbox -

SearchDumpsterOnly -TargetMailbox <Destination mailbox> -

TargetFolder <Folder name> -LogLevel Full

PowerShell command Example

PowerShell

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -

SearchDumpsterOnly -TargetMailbox “Discovery Search Mailbox” -

TargetFolder “All users Deleted mail items” -LogLevel Full

Scenario 4

Scenario description:

We want to search and recover mail items that answer the following parameters:

Mail items that are stored in a specific Exchange user mailbox.

A specific mail items – only calendar mail items

Mail items that are stored in the Recoverable Items

folder (SearchDumpsterOnly).

Recover only deleted calendar mail items

PowerShell command Syntax

PowerShell

Search-Mailbox <Identity> -SearchDumpsterOnly -SearchQuery

“Kind:<Mail Type>" -TargetMailbox <Destination mailbox> -

TargetFolder <Folder name> -LogLevel Full

PowerShell command Example

PowerShell

Page 11 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

Search-Mailbox John -SearchDumpsterOnly -SearchQuery

“Kind:meetings" -TargetMailbox “Discovery Search Mailbox” -

TargetFolder “John calendar items” -LogLevel Full

Scenario 5

Scenario description:

We want to search and recover mail items that answer the following parameters:

Mail items that are stored in a specific Exchange user mailbox.

Mail items that include a specific text string

Recover only deleted mail items that include a specific text (mail

body or subject)

PowerShell command Syntax

PowerShell

Search-Mailbox <Identity> -SearchQuery “<Text String>” -

TargetMailbox <Destination mailbox> -TargetFolder <Folder name> -

LogLevel Full

PowerShell command Example

PowerShell

Search-Mailbox John -SearchQuery “call me ASAP” -TargetMailbox

“Discovery Search Mailbox” -TargetFolder “John mail items” -

LogLevel Full

Scenario 6

Scenario description:

We want to search and recover a mail item that answers the following parameters:

Mail items that are stored in a specific Exchange user mailbox.

Mail items that include a specific text string that appear in the E-mail subject.

Page 12 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

Recover only deleted mail items that include a specific text in mail

subject

PowerShell command Syntax

PowerShell

Search-Mailbox <Identity> -SearchQuery 'Subject:"<Txt String>"' -

TargetMailbox <Destination mailbox> -TargetFolder <Folder name> -

LogLevel Full

PowerShell command Example

PowerShell

Search-Mailbox John -SearchQuery 'Subject:"call me ASAP"' -

TargetMailbox “Discovery Search Mailbox” -TargetFolder “John mail

items” -LogLevel Full

Scenario 7

Scenario description:

We want to search and recover mail items that answer the following parameters:

Mail items that are stored in a specific Exchange user mailbox.

Mail items that were sent on a specific date range.

Recover deleted mail items from a specific date range

PowerShell command Syntax

PowerShell

Search-Mailbox <Identity> SearchQuery '(sent:

sent:dd/mm/yy..dd/mm/yy)' -TargetMailbox <Destination mailbox> -

TargetFolder <Folder name> -LogLevel Full

PowerShell command Example

Page 13 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

PowerShell

Search-Mailbox SearchQuery '(sent: 09/1/2015.. 09/10/2015)' -

TargetMailbox -TargetFolder -LogLevel Full

Additional consideration related to the use of the

Search-Mailbox command

1. Assign Full access permission to the Discovery Search-Mailbox

in case that we want to look into the content of the Discovery Search-Mailbox by

using the Outlook mail client, we will need to Assign Full access permission to

the Discovery Search-Mailbox.

Recover only deleted calendar mail items

PowerShell command Syntax

PowerShell

Add-MailboxPermission "<Destination Mailbox>" -User <Identity> -

AccessRights FullAccess -InheritanceType all -Automapping $False

PowerShell command Example

PowerShell

Add-MailboxPermission "Discovery Search Mailbox" -User John -

AccessRights FullAccess -InheritanceType all -Automapping $False

2. Assign the required permission for using the PowerShell cmdlets

Search-Mailbox

To be able to use the PowerShell cmdlets Search-Mailbox, we will need to assign

the required permission to the user account that will use the PowerShell

cmdlets Search-Mailbox

We will need to enable the following permissions:

Page 14 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

Add a user to the Discovery Management role group and assign the user account

the Mailbox Import Export role

Add user to the Discovery Management group

PowerShell command Syntax

PowerShell

Add-RoleGroupMember -Identity "Discovery Management" -Member

<Identity>

PowerShell command Example

PowerShell

Add-RoleGroupMember -Identity "Discovery Management" -Member John

Assign a user “Mailbox Import Export” permission

PowerShell command Syntax

PowerShell

New-ManagementRoleAssignment –Role “Mailbox Import Export” –User

<Identity>

PowerShell command Example

PowerShell

New-ManagementRoleAssignment –Role “Mailbox Import Export” –User

John

3. Create a new discovery mailbox

Exchange Online provides a default mailbox that will serve as the container for the

search result, the Discovery Search-Mailbox mailbox.

Page 15 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |

7#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

In case that we want to create an additional “Discovery Search-Mailbox mailbox” we

can use a PowerShell command for creating this additional mailbox.

Create a new discovery mailbox

PowerShell command Syntax

PowerShell

New-Mailbox -Name <name> -Discovery

PowerShell command Example

PowerShell

New-Mailbox -Name “New Discovery” -Discovery

For your convenience, I have “Wrapped” all the PowerShell commands that were

reviewed in a PowerShell Script named:

Recover_Delted_Mail.PS1

You are welcome to download the script and use it.

Additional reading

Search-Mailbox

Search and delete messages