Managing Multi-Mailbox Search in Exchange Server 2010 (Part 6)

If you would like to read the other parts in this article series please go to:

Multi-Mailbox Search in more advanced scenarios…

So far, we went through the process of the search and discovery mailbox, however, it’s time to put the feature to the test and make sure that we, as administrators are comfortable with the feature. In this section we will go over some topics that always show up when the discovery feature is mentioned such as Attachments, deleted messages and Archive.

Let’s start with attachments: we created a simple search to look for the word Project* in all mailboxes of our small organization. Before starting the search, I created a file called Grinch.xlsx and added the text “Project XYZ” inside the file. The results on the Discovery Mailbox can be seen in Figure 01, where the message was found and the attached file is there. We can click Open in Browser and see the contents of the file as shown in Figure 02.


Figure 01: Search results when a string is found in an attachment


Figure 02: Content of the attached file where the string Project XYS was found

Note:
During the Exchange Server 2010 deployment, the Microsoft Filter Pack is recommended for Hub and Mailbox roles, and in order to get proper results like the ones above, that feature should be installed.

Let’s say that the user who received the file identified that this file would mean future problems and he performed a soft delete of the message and then emptied the Deleted Items folders. After that we run the Mailbox Search Task as shown in Figure 03, and we notice that underneath its Primary Mailbox we have the folder Recoverable Items and Deletions folder, which means that the content there has been deleted by the user but remains in his mailbox.


Figure 03:
A deleted message from the mailbox but still in the Dumpster 2.0 folder structure

How about if the user goes to Recover Deleted Items and deletes the message from there? Well, if we have some features in place we still are protected by the Dumpster 2.0 improvements that came with Exchange Server 2010. The features required to make it work are either: Single Item Recovery feature or Litigation Hold. Any of these features keep the deleted items from Recover Deleted Items in the Purges folders which will keep the message for the amount of days defined in the Database or in the mailbox level. The default value for any new Mailbox Database is 14 days. We will be going over these features in this article series, so hang in there.

Every organization has that smart user, and the organization we are dealing with in this article series is not different. So, our smart user created a folder called ArchiveYYY in Exchange Online Archive and moved any messages containing the secret information to that folder. Using the same previous search we just need to hit the Restart Search button and in the Discovery Mailbox we will see a folder called Archive Mailbox which represents the Exchange Archive feature and the location where the messages were found, as shown in Figure 04.


Figure 04:
Message found in the Archive structure of the mailbox

Using Litigation Hold with Multi-Mailbox Search…

We covered some scenarios where the user can try to bypass the system security, however, we are here to make sure that end-users can run but they can’t hide from Exchange 🙂

In the previous section we noticed that a message can leave the system if we have a smart user where the user deletes the message either by soft-delete or hard-delete and then afterwards he/she removes the message(s) from the Recover Deleted Items. As a matter of fact, all messages deleted in Exchange Server 2010 will end up in the Recover Deleted Items and from there the message will be purged by the system or by the user if he/she removes the content from there.

In order to avoid users deleting data, the administrator has two options: Single Item Recovery which forces the message to be purged based on the Recover Deleted Item threshold defined in the setting Keep deleted items for (days) which is defined at the Database level (by default it is set to 14 days, as shown in Figure 05) or at mailbox level which can be defined using the following cmdlet: Set-mailbox <Mailbox> -RetainDeletedItemsFor:30d


Figure 05: Database limits

The settings to retain deleted items is just for regular operations, however, it does allow the user to go there and delete the information from Recover Deleted Items which is our big concern. So, now that we have already defined the amount of time that we want to keep an item around, we can configure at mailbox level the Single Item Recovery feature which purges items only when the threshold defined previously is reached forcing the user to respect the limits defined at the database level. We can use the following cmdlet to enable Single Item Recovery in a specific mailbox:

Set-Mailbox <Mailbox> -SingleItemRecoveryEnabled $true

If for any reason you need to put a mailbox on litigation hold, then we can use Exchange Control Panel, Exchange Management Console or Exchange Management Shell. The requirement is to be part of the default Role Group Discovery Management. In Figure 06 we are enabling Litigation Hold using Exchange Management Console, and we can also define a comment and URL to help the end-user.


Figure 06

When an end-user has the Litigation Hold enabled, like we have done in the previous step, the information about Litigation will be displayed in the backstage area of his Outlook, as shown in Figure 07.


Figure 07: Litigation Hold information on the user level.

What does the Multi-Mailbox Search process change? Well, if a mailbox is trying to delete data to avoid the Big Brother team 🙂 as shown in the Figure 08, then the results will show this. That is, the user tried to eliminate the data because it will display a message in the Purges folder underneath Recoverable Items. If the user had just deleted data following the regular procedure, then the message would be in the Deletions folder.


Figure 08

Conclusion

In this article we covered several scenarios where an end-users can try to remove data from the system and how we can prevent them by using Exchange Server 2010 built-in features.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top