As Exchange admins, we have watched over the years how email has evolved — and how large our mailboxes can grow these days. There are many companies that still use Exchange on-premises, but many have moved to the cloud. This is due to the fact that it is easier and more convenient and because hardware and licensing are becoming more expensive. A 10-person company might find it easier to move to Office 365 and get a fully licensed version of Office to use with their email instead of having to purchase it. The difference between the two is the hardware that you have to purchase to keep your servers running vs. having a limit in the cloud without having to maintain the hardware, as this now becomes Microsoft’s responsibility. At the same time, IT departments need to also take into consideration the cost to archive and keep data for compliance purposes. Again, this is vast amounts of data. In a company that has 5,000-25,000 employees such as banks, they have to store all data and generally limit users to how big mailboxes can grow. Also, some users might have archive mailboxes where email is automatically moved to via policy or they give users the option to move their own mail. Before we look at the tools Microsoft and third-party providers have to be able to export mailboxes to PST, we also need to take a look at the risks of having exported mail lying around on users’ machines or servers and then deleted because space or hardware costs are a problem.
- Oversized PST files
- PST files stored on network shares
- Potential mail leakage or sabotage
- Lack of hardware
- Exchange full mailbox access
In an organization where mailbox sizes are no problem or archiving is forced, you can end up with PST files as large as 30GB or higher. Microsoft doesn’t recommend them being over 2GB. Now the bigger the PST file is, the longer it takes for Outlook to open and read it, potentially causing corruption of the file and making it unusable. The next problem is where PST files are stored on network shares and then opened in Outlook. Again, this is not supported by Microsoft and the latency on the network can also cause the file not to open or if the file server is rebooted, then users will lose access to the PST and also potential data loss.
The other major problem is that users keep PST files on their local machines or on the server and they are not password protected. You might have someone who wants to leak information or an IT team member who can give information to a competitor, having them lie around with easy access to be able to import to another mailbox or copied to an external drive and given to someone. Most IT companies are limited as to space and Exchange seems to always be the one where things have to be cut.
How about this scenario: An IT admin comes in on a given day and his alerting systems says that the file server or Exchange Server has low disk space. Well, what does he or she do? First, the IT admin runs a tool such as tree size or something similar to find big files and comes across the PST files that are taking up a majority of the space on the server. The admin deletes the files as it is a quick win on space or copies it to an external drive and forgets about it.
The last issue we will mention here is an IT admin who has full access to all mailboxes in the organization. They can login as that user — yes, impersonate them — and then export the mail to a PST file. And this, of course, takes us back to the third problem of leaking information.
Now that we have covered some of the risks of PST files, let’s take a look at how we can export mail from a mailbox to a PST file in Exchange. Before you can run the set of commands that will be outlined below, you need to first ensure that you have the correct permissions to do so.
The cmdlet New-MailboxExportRequest is only available in the Mailbox Import Export role and by default, this role is not assigned to any role groups in Exchange.
If you don’t have permission to run the above command, when you type it in the Exchange Management Shell (EMS), you will receive an error that the command is not recognized. This can be due to the fact that the user is not assigned to the group or the role group has not been created yet.
There are a few steps to get an admin assigned to this group.
- Create the role group
- Add a user to the group
To create the role group, you need to run the following command in Exchange:
New-RoleGroup "Mailbox Import-Export Management" -Roles "Mailbox Import Export"
When the above command is run, you need to wait for replication to take place. If you navigate to Active Directory Users and Computers and then click on Exchange Security groups, you will see the new group called Mailbox Import-Export.
Once you can see the group in Active Directory, you can now move onto the next command by adding a user or multiple user’s that will be doing exports to that group by running this command:
Add-RoleGroupMember "Mailbox Import-Export Management" -Member <user>
In the above example, replace <User> with the actual account that will be added to the group you created. Again, you need to wait for replication before you can proceed.
Now before moving onto the actual exports, there is one last thing you need to complete. You need to create a share on a server that has exchange permissions on the share, or the exports will fail with access denied error messages. The share needs to have the “Exchange Trusted Subsystem” with full access assigned to the share.
Export mailboxes to PST
Now that the above is complete, let’s move onto the mailbox exports. Here is a command you can run to export a user’s mailbox to a PST:
New-MailboxExportRequest -Mailbox User1 -FilePath \\PSTServer\Share1\User1.pst
The above command is going to export User1’s mailbox to a PST file located on the PSTServer on a network share called Share1.
There are many ways to export a mailbox to a PST file. You can use a content filter to only export emails with certain keywords or you can export a mailbox’s archive as well.
Lastly, to be able to view how far the mailbox exports are, you can run the following command in the Exchange Management Shell:
Get-MailboxExportRequest | Get-MailboxExportRequestStatistics
Remove the completed export requests
Once all your mailbox exports are complete, don’t forget to remove the completed export requests. You can do so running the following command in the Exchange Management Shell:
Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest
Featured image: Shutterstock