Improvements to Compliance in Exchange 2016 (Part 2)

By /

If you would like to read the first part in this article series please go to Improvements to Compliance in Exchange 2016 (Part 1).

Compliance Search

The new Compliance Search feature in Exchange 2016 allows administrators to search all mailboxes in the organization. Unlike In-Place eDiscovery where we can only search up to 10,000 mailboxes, there are no limits for the number of target mailboxes in a single compliance search.

The reason why I underlined the word “search” is because it is important to note that this is only a search. Using compliance search we cannot place items on hold or export them to another mailbox. So is this useful for anything?

Let us imagine the scenario where we are required to perform an organization-wide search in an environment with 35,000 mailboxes and place items that match a particular search query on hold. With the 10,000 mailbox limit per In-Place eDiscovery search, this might not be straightforward… In this case, we can use the New-ComplianceSearch cmdlet to search all mailboxes, find out which mailboxes contain items that match our search query, and then use the workflow features of In-Place eDiscovery to perform other eDiscovery-related tasks, such as placing those mailboxes/items on hold and exporting the search results.

At the time of writing this article, Compliance Search in Exchange 2016 is only available by using the Exchange Management Shell and the following cmdlets:

  • Get-ComplianceSearch
  • New-ComplianceSearch
  • Remove-ComplianceSearch
  • Set-ComplianceSearch
  • Start-ComplianceSearch
  • Stop-ComplianceSearch

In order to have access to the Compliance Search cmdlets, we must be assigned the Mailbox Search management role or be a member of the Discovery Management role group:

Image
Figure 1

1. Search all mailboxes using New-ComplianceSearch cmdlet

First of all, we use the New-ComplianceSearch cmdlet to create a compliance search that searches all mailboxes in the organization. Once again, remember that there is no limit for the number of mailboxes for a single compliance search. We specify an appropriate keyword query (or a query for sensitive information types) so that the search returns only those source mailboxes that are relevant to our investigation. If necessary, we refine the search query to narrow the scope of search results and source mailboxes that are returned.

In the following example, we will be searching all mailboxes in the organization for items containing the keyword “project x”. The first cmdlet creates the search and the second one runs it:

New-ComplianceSearch -Name “Project X” -ExchangeLocation All -ContentMatchQuery “Project X”

Start-ComplianceSearch “Project X”

Image
Figure 2

The New-ComplianceSearch cmdlet, available in on-premises Exchange 2016 and in the cloud-based service, is used to create a compliance search in Exchange 2016 and in the Office 365 Compliance Center.

A compliance search requires at least one location. For example, mailboxes using the ExchangeLocation parameter, or SharePoint sites using the SharePointLocation parameter. The ExchangeLocation parameter specifies a mailbox to include in the compliance search, with the options of:

  • A particular/single mailbox;
  • A distribution group (which will search all mailboxes that are members of the group);
  • All: all mailboxes.

Other useful parameters of this cmdlet are:

  • AllowNotFoundExchangeLocationsEnabled: specifies whether to allow inactive mailboxes in the compliance search;
  • ContentMatchQuery: specifies a content search filter using a text search string or a query that is formatted by using the Keyword Query Language (KQL), such as ‘sent>=10/01/2015 AND sent<=11/30/2015 AND subject:”project x”’;
  • PublicFolderLocation: specifies that we want to include all public folders in the search. We use the value All for this parameter;

Important:
When we create a compliance search by using the New-ComplianceSearch cmdlet, a shadow In-Place eDiscovery search is created (but not started) and displayed on the In-Place eDiscovery & Hold page in the EAC. It is also returned by using the Get-MailboxSearch cmdlet. This mailbox search is named ComplianceSearchName-shadow:

Image
Figure 3

Microsoft recommends that we delete this shadow In-Place eDiscovery search and use the script in Step 3 to create the In-Place eDiscovery search. The functionality of creating a shadow search will be removed in a future Cumulative Update.

2. Verify Search Results

Now that we created our first compliance search, it is a good idea to see if any mailboxes contain items matching our criteria and, if yes, how many.

For some strange reason, a compliance search will only return a maximum of 500 source mailboxes that contain search results. If there are more than 500 mailboxes that contain content that matches our search query, only the top 500 mailboxes with the most search results are included in the compliance search that we created in the previous step. So if more than 500 mailboxes contain search results, some of those mailboxes will not be included in the list of source mailboxes… If there are more than 500 source mailboxes, we can create two (or more) compliance searches. For example, search half of the organization’s mailboxes in one compliance search and the other half in another compliance search. However, if this is the case, we might as well create multiple eDiscovery searches… Alternatively, we can also change the search criteria to reduce the number of mailboxes that contain search results (such as specifying a date range or refine the keyword query).

I honestly hope this limit gets removed in a future Cumulative Update as I think it could be a limitation for large organizations.

The following script will display the number of source mailboxes (that contain search results) returned by the compliance search we created in the previous step. Save the following text to a Windows PowerShell script file by using a filename suffix of .ps1, such as a file named SourceMailboxes.ps1:

[CmdletBinding()]

Param (

    [Parameter(Mandatory =$True, Position = 1)]

    [String] $SearchName

)

 

$search= Get-ComplianceSearch $SearchName

If ($search.Status -ne“Completed”) {

      “Please wait until the search finishes.”

      break

}

 

$results=$search.SuccessResults

If (($search.Items -le 0) -or ([String]::IsNullOrWhiteSpace($results))) {

      “The compliance search “+$SearchName+” didn’t return any useful results.”

      break

}

 

$mailboxes= @()

$lines=$results-split‘[\r\n]+’

ForEach ($linein$lines) {

    If ($line-match‘Location: (\S+),.+Item count: (\d+)’-and$matches[2] -gt 0) {

        $mailboxes+=$matches[1]

    }

}

 

“Number of mailboxes that have search hits: “+$mailboxes.Count

When we run the above script, we can see how source mailboxes contained the search query used in our Search Compliance search:

Image
Figure 4

What the script does is basically analyze the SuccessResults property of the Compliance Search, which contains all the source mailboxes that contain items matching our search query, the number of items per mailbox that matched that query and their total size:

Image
Figure 5

3. Create In-Place eDiscovery Based on Compliance Search

Now that we know exactly which mailboxes contain the items we are looking for, the next step is to run a script (provided by Microsoft) that will convert the existing Compliance Search to an In-Place eDiscovery search. Here is how the script works:

  • First, it prompts us for the name of the compliance search to convert;
  • Then, it verifies that the compliance search has completed running;
  • It checks if the compliance search actually returns any results, otherwise the In-Place eDiscovery is not created;
  • It saves a list of the source mailboxes from the compliance search that contain search results to a variable;
  • Finally, it creates a new In-Place eDiscovery search, with the following properties (please note that the new search is not automatically started):
    • Name: the name of the new search uses the format: <Name of compliance search>_MBSearch1. If you run the script again and use the same source compliance search, the search will be named <Name of compliance search>_MBSearch2;
    • Source mailboxes: all mailboxes from the compliance search that contain search results are included in the eDiscovery;
    • Search query: the new search uses the same search query from the compliance search;
    • Estimate only search: the new search is marked as an estimate-only search. It will not copy search results to a discovery mailbox after we start it.

Save the following text to a Windows PowerShell script file by using a filename suffix of .ps1, such as a file named eDiscoveryFromComplianceSearch.ps1:

[CmdletBinding()]

Param(

    [Parameter(Mandatory =$True, Position = 1)]

    [string]$SearchName,

 

    [switch]$original,

 

    [switch]$restoreOriginal

)

 

$search= Get-ComplianceSearch $SearchName

If ($search.Status -ne“Completed”) {

      “Please wait until the search finishes”;

      break;

}

 

$results=$search.SuccessResults

If (($search.Items -le 0) -or ([string]::IsNullOrWhiteSpace($results))) {

      “The compliance search “+$SearchName+” didn’t return any useful results”

      “A mailbox search object wasn’t created”

      break;

}

 

$mailboxes= @()

$lines=$results-split‘[\r\n]+’

ForEach ($linein$lines) {

    If ($line-match‘Location: (\S+),.+Item count: (\d+)’-and$matches[2] -gt 0) {

        $mailboxes+=$matches[1]

    }

}

 

$msPrefix=$SearchName+“_MBSearch”

$I= 1

$mbSearches= Get-MailboxSearch

While ($True) {

    $found=$false

    $mbsName=“$msPrefix$I”

    ForEach ($mbsin$mbSearches) {

        If ($mbs.Name -eq$mbsName) {

            $found=$true

            break

        }

    }

 

    If (!$found) {break}

    $I++

}

 

$query=$search.KeywordQuery

if ([string]::IsNullOrWhiteSpace($query)) {

    $query=$search.ContentMatchQuery;

}

 

If ([string]::IsNullOrWhiteSpace($query)) {

      New-MailboxSearch “$msPrefix$i” -SourceMailboxes $mailboxes -EstimateOnly;

} Else {

      New-MailboxSearch “$msPrefix$i” -SourceMailboxes $mailboxes -SearchQuery $query -EstimateOnly

}

If the script is successful, a new In-Place eDiscovery search is created with a status of NotStarted:

Image
Figure 6

Image
Figure 7

We can run the cmdlet Get-MailboxSearch “Project X_MBSearch1” | FL to display the properties of this particular new search:

Image
Figure 8

As already mentioned, the previous script creates a new In-Place eDiscovery search but it does not start it. The next step is to start the search so we can get an estimate of the search results:

  1. In the Exchange admin center (EAC), go to Compliance management > In-Place eDiscovery & Hold;
  2. In the list view, select the In-Place eDiscovery search we created;
  3. Click Search > Estimate search results to start the search and return an estimate of the total size and number of items returned by the search:

Image
Figure 9

  1. The estimates are displayed in the details pane. Click Refresh to update the information displayed in the details pane:

Image
Figure 10

  1. To preview the results after the search is completed, click Preview search results in the details pane:

Image
Figure 11

Alternatively, we can use the Shell to start the In-Place eDiscovery search by running:

Start-MailboxSearch “Project X_MBSearch1”

After we have created and started the In-Place eDiscovery search, we can use the normal In-Place eDiscovery workflow to perform different eDiscovery actions on the search results, such as placing items on hold or exporting the search results to another mailbox for analysis.

Conclusion

In this article series we explored the improvements made to Exchange 2016 in terms of compliance. While the capability of placing Public Folder items on hold is a welcomed and long time due feature, the Compliance Search still seems a bit incomplete and limited in my opinion…

If you would like to read the first part in this article series please go to Improvements to Compliance in Exchange 2016 (Part 1).

About The Author

Nuno Mota is an Exchange MVP working as a Microsoft Messaging Specialist for a financial institution. He is passionate about Exchange, Lync, Active Directory, PowerShell, and Security. Besides writing his personal Exchange blog, LetsExchange.blogspot.com, he regularly participates in the Exchange TechNet forums and is the author of the book “Microsoft Exchange Server 2013 High Availability.”

Read Next

4 thoughts on “Improvements to Compliance in Exchange 2016 (Part 2)”

  1. Diitris

    Very usefull article. Thank you for posting it but how you get the results in figure 5? I want only the mailboxes that matches the query.

    Reply
    1. Nuno Mota

      Hi Diittris,

      Thank you! 🙂

      When you run the cmdlet “(Get-Compliance ).SuccessResults” it returns only the mailboxes that matched one or more results, but it does so in the form of a collection of objects. So, you can save that output in a variable and then go through all the objects in that variable and only get the “location” attribute.
      Hope it helps!

      Regards,
      Nuno

      Reply
  2. Dimitris

    Than you for your quick answer but I am new in powershell and I can’t get the result. Can you explain it step by step how to do it? Thank you for your time and effort.
    P.S. I wrote my name wrong.

    Reply
  3. Dimitris

    I did it just adding $line under
    If ($line-match’Location: (\S+),.+Item count: (\d+)’-and$matches[2] -gt 0) {

    $mailboxes+=$matches[1]
    $line
    Thanks.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top