Exchange 2013 In-Place Hold and In-Place eDiscovery (Part 3)

If you would like to read the other parts in this article series please go to:

In-Place eDiscovery

In terms of archiving and compliance, Exchange 2013 introduces what Microsoft calls In-Place eDiscovery, which helps organizations perform discovery searches for relevant content within mailboxes. This may be a requirement by an organizational policy, compliance or even a lawsuit for example.

In-Place eDiscovery allows authorized users to search mailbox data across all mailboxes and archives in Exchange and copy e-mails to a discovery mailbox for review. In Exchange 2013, In-Place eDiscovery has been enhanced to allow more efficient searches and holds. These enhancements include:

  • Federated search allows administrators to search and preserve data across multiple data repositories. Administrators can use the eDiscovery Center in SharePoint 2013 to perform In-Place eDiscovery search and hold across Exchange 2013, SharePoint 2013 and Lync 2013;
  • Discovery Managers can use the new In-Place eDiscovery and Hold wizard to perform eDiscovery and hold operations. If SharePoint 2013 is not available, a subset of the eDiscovery functionality is available in the Exchange admin center;
  • Discovery Managers can export mailbox content to a PST file from the SharePoint 2013 eDiscovery Center;
  • Search statistics are offered on a per search term basis, enabling Discovery Managers to quickly make decisions about how to further refine search queries to provide better results. eDiscovery search results are also sorted by relevance;
  • Discovery Managers can use Keyword Query Language (KQL) syntax in search queries, which is similar to the Advanced Query Syntax (AQS) used for discovery searches in Exchange 2010.

In Exchange 2010 authorized users running a discovery search would have to copy messages that matched the search criteria into a specified discovery mailbox, from which they could be exported into a PST file or accessed by users who had the appropriate permissions.

In Exchange 2013, the results do not have to be copied to a discovery mailbox before use. Instead, these authorized users see live results from their search or can optionally create a saved search that is updated as needed. The results can now be exported to a PST file directly from the eDiscovery Center in SharePoint 2013. Although this might not seem like a big change, together with the fact that a single search can return results from Lync, SharePoint and Exchange, dramatically simplifies the entire process.

RBAC allows members of the Discovery Management role group to perform discovery tasks without the need to provide elevated privileges that may allow a user to make any operational changes to Exchange configuration. This role group consists of two management roles: the Mailbox Search Role, which allows a user to perform an In-Place eDiscovery search, and the Legal Hold Role, which allows a user to place a mailbox on In-Place Hold.

If a user has not been added to the Discovery Management role group or is not assigned the Mailbox Search role, the In-Place eDiscovery & Hold user interface is not displayed in the EAC, and the In-Place eDiscovery cmdlets are not available in the Shell.

In-Place eDiscovery uses the content indexes created by Exchange Search, which has been redesigned to use Microsoft Search Foundation, a search platform that improves indexing, querying performance and search functionality. Because the Microsoft Search Foundation is also used by other Office products, such as SharePoint 2013, it offers greater interoperability and similar query syntax across these products. Using the SharePoint eDiscovery Center, authorized users can search for and hold all content related to a case, including SharePoint 2013 websites, documents, file shares indexed by SharePoint, mailbox content in Exchange and archived Lync 2013 content.

In-Place eDiscovery uses KQL, a querying syntax similar to the AQS used by Instant Search in Microsoft Outlook and Outlook Web App. Users familiar with KQL can easily construct powerful search queries to search content indexes.

The EAC provides an easy-to-use search interface for non-technical personnel such as legal and compliance officers, records managers or HR professionals. The In-Place eDiscovery & Hold wizard allows authorized users to create an In-Place eDiscovery search and also use In-Place Hold to place search results on hold. When creating an In-Place eDiscovery search, a search object is created in the In-Place eDiscovery system mailbox. This object can be manipulated to start, stop, modify and remove the search. After the search is created, authorized users can select one of the following actions:

  • Estimate search results – includes the number of items returned and their total size. It also provides keyword statistics (details about number of items returned for each keyword used in the search query);
  • Preview search results – provides a preview of the results by allowing authorized users to view message content, the number of messages returned from each source mailbox and the total number of messages;
  • Copy search results – copies messages to a Discovery mailbox;

When satisfied with the search results, users can copy them to a discovery mailbox and use the EAC or Outlook to export a discovery mailbox or some of its content to a PST file.

A Discovery mailbox is a special type of mailbox that provides the following functionality:

  • Secure target mailbox selection – when using the EAC to copy In-Place eDiscovery search results, only discovery mailboxes are made available as a repository in which to store search results. This eliminates the possibility of a discovery manager accidentally selecting another user’s mailbox or an unsecured mailbox in which to store potentially sensitive messages;
  • More secure by default – a Discovery mailbox has an associated Active Directory user account which is disabled by default. Only users explicitly authorized to access a Discovery mailbox have access to it. Members of the Discovery Management role group are assigned Full Access permissions to the default Discovery mailbox. Any additional Discovery mailboxes created do not have mailbox access permissions assigned to any user;
  • E-mail delivery disabled – although visible in Exchange address lists, users cannot send e-mail to a discovery mailbox as e-mail delivery to discovery mailboxes is prohibited by using delivery restrictions. This preserves the integrity of search results copied to a discovery mailbox.

Exchange 2013 Setup creates one discovery mailbox with the display name Discovery Search Mailbox, but additional mailboxes can be created. A system mailbox with the display name SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} is also used to store In-Place eDiscovery metadata. System mailboxes are not visible in the EAC or in Exchange address lists and if this mailbox is removed or corrupted, discovery managers will be unable to perform eDiscovery searches until it is recreated.

To recreate the Discovery Search Mailbox:

  1. Delete the SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} user account from Active Directory, if it exists;
  2. Prepare Active Directory by running Microsoft Exchange 2013 Setup with the /PrepareAD switch in the root domain of the Active Directory forest;
  3. Use the Shell to enable the Discovery system mailbox:

Enable-Mailbox “SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}” -Arbitration -DomainController <FQDN of a global catalog server in the root domain of the AD forest>

Logging

In-Place eDiscovery searches have two types of logging available:

  • Basic logging enabled by default, includes information about the search and who performed it. Information captured about basic logging appears in the body of the e-mail sent to the mailbox where the search results are stored;
  • Full logging includes information about all items returned by the search, provided in a CSV file attached to the e-mail that contains the basic logging information. This information may be required for compliance or record-keeping purposes. To enable full logging, you must select the Enable full logging option when copying search results to a discovery mailbox in EAC, or by using the LogLevel parameter when using the Shell.

Besides the search log included when copying search results to a discovery mailbox, Exchange also logs cmdlets used by the EAC or the Shell to create, modify or remove In-Place eDiscovery searches. This information is logged in the admin audit log entries that we will discuss later.

Users Leaving the Organization

When an employee leaves an organization, it is a common to disable or remove the mailbox. The Managed Folder Assistant does not process disconnected mailboxes and any retention policies are not applied while the mailbox is disconnected. Disconnected mailboxes cannot be searched using eDiscovery.

In-Place eDiscovery in Exchange Online allows the search of Inactive Mailboxes (mailboxes that are placed on In-Place Hold and then removed). These mailboxes are preserved as long as they are on hold and do not require a license. When an inactive mailbox is removed from In-Place Hold it is permanently deleted. In on-premises deployments, if an organization needs to retain an ex-employee’s mailbox for an ongoing or future eDiscovery search, then the following should be performed:

  1. Disable the Active Directory user account, thus preventing mailbox logon using the associated user account. Note that users with Full Access mailbox permission will still be able to access the mailbox;
  2. Set the message size limit for messages that can be sent from or received by the mailbox user to a very low value, 1KB for example. This prevents delivery of new mail to and from the mailbox;
  3. Configure delivery restrictions for the mailbox so nobody can send messages to it;
  4. Either remove any retention policies applied to this mailbox or place it on In-Place Hold so that items are preserved.

Throttling Policies

Exchange 2013 throttles the resources In-Place eDiscovery can consume on a Mailbox server using throttling policies. Administrators can modify parameters of the default throttling policy to suit their requirements or create additional throttling policies and assign them to users with delegated Discovery Management permissions.

The default throttling policy contains the following throttling parameters.

Parameter Description Default value
DiscoveryMaxConcurrency Maximum number of In-Place eDiscovery searches a user can perform concurrently 2
DiscoveryMaxMailboxes Maximum number of mailboxes that can be searched in a single In-Place eDiscovery search 50
DiscoveryMaxMailboxesResultsOnly Maximum number of mailboxes that can be searched in a single In-Place eDiscovery search and results copied to a discovery mailbox 5000
DiscoveryMaxKeywords Maximum number of keywords that can be specified in a single In-Place eDiscovery search 500
DiscoveryMaxSearchResultsPageSize Maximum number of items displayed on a single page in eDiscovery Search Preview 200
DiscoveryMaxConcurrency Maximum number of keywords displayed per page in the keyword statistics section of an In-Place eDiscovery search status in EAC 25

Table 1

Conclusion

In this article series, we explored the new In-Place Hold and In-Place eDiscovery features introduced in Exchange 2013. This is an area that is increasingly important to organizations and which Microsoft keeps improving. Exchange 2013 makes it easier than ever for organizations to ensure their message privacy protection policies are compliant and meet strategic business goals, may that be for business, legal or regulatory requirements.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top