Search and\or delete messages in mailboxes in Exchange 2010/2013/2016

As soon as all messages of Exchange users are stored in database, we can perform search and, if needed, delete operations against messages. It is needed in some cases for example, when employee sent message with confidentional information to the wrong recipient or you just need to find some message and look into it... there can be a lot of options.

What Exchange 2010/2013/2016 can offer to us in such cases? We can search mailboxes (all or any specific) in database and copy search results into some other mailbox. If needed, we also can delete search results from the source mailboxes.

Let's see how to do this.

Firstly, if you have in your Exchange organization multiple Active Directory sites, enable viewing the entire forest:

Set-ADServerSettings -ViewEntireForest $true

Secondly, ensure that your account have the following roles assigned: Mailbox Import Export and Mailbox Search. You can assign roles (exactly there) by adding your account to the Discovery Management group.

Now we can start to search

get-mailbox user\@domain.com | Search-Mailbox -LogLevel full -TargetFolder SearchAndDeleteLog -TargetMailbox admin\@domain.com -LogOnly -SearchQuery {Subject="Photo for Lync"}

LogOnly switch specifies that you only estimate the search results, but messages found are NOT copied to the mailbox specified in the TargetMailbox parameter. To copy result, just delete the switch.

There are some subtleties you must know...

The first caveat is that when sarching messages with some subject, you will get not only messages with this particular subject, but also messages with subjects like: "RE: Photo for Lync" и "FW: Photo for Lync". To exclude such unneeded messages, you must clarify your query with some other conditions, for example, send\receive date and\or sender\recipient.

Queries for the SearchQuery parameter are written in KQL (Keyword Query Language), more details are available here: https://msdn.microsoft.com/en-us/library/ee558911(v=office.15).aspx.

The second nuance is that when you write additinal conditions into query, you need to take into count regional settings of your server. For example, 14 October 2016 can be written in the following ways in different locales:

• 14/10/2016
• 10/14/2016

But also you can use "14-Oct-2016", which is most convinient from my point of view.

Here are examples of KQL queries for Exchange:

• Received:> $('07/18/2014') and From:This email address is being protected from spambots. You need JavaScript enabled to view it.
• Received:> $('11/30/2014') and From:This email address is being protected from spambots. You need JavaScript enabled to view it. and Subject:'EMAIL UPGRADE'
• Subject:"Searching" AND From:"This email address is being protected from spambots. You need JavaScript enabled to view it." AND Sent:"6/5/2015"

Deleting search results from source mailboxes

Use DeleteContent switch parameter to delete searched messages.

get-mailbox user\@domain.com | Search-Mailbox -LogLevel full -TargetFolder SearchAndDeleteLog -TargetMailbox admin\@domain.com -SearchQuery {Subject="Photo for Lync"} -DeleteContent