Managing Multi-Mailbox Search in Exchange Server 2010 (Part 1)

If you would like to read the other parts in this article series please go to:

The Exchange Team brought a lot of good stuff with the Exchange Server 2010 release especially in areas of compliance and archiving. In this article series we are going to go over the Multi-Mailbox Search feature which allows an administrator or even a regular user to perform search on mailboxes of any given organization. The capability to allow regular users is based on the RBAC (Role Based Access Control) and by doing that an organization can give permission to the person that requires this functionality. The person can be a regular user without Exchange experience where the Multi-Mailbox Search request can be managed through ECP user friendly web interface.

The Multi-Mailbox Search feature is pretty straight forward basically, you assign permissions to specific accounts to perform searches based on several attributes while the result of those searches can be saved in a Discovery Mailbox. From there the user has the ability to generate a PST and work with the data.

The Exchange Search service is a key component for Exchange Server 2010 because some of the new features such as Archive and the subject of this article series, which is the Multi-mailbox Search, rely on. The Exchange Search was improved in the Exchange Server 2010 release and new items are indexed almost close to real time when they show up on the mailbox database.

The Multi-Mailbox Search relies on Exchange Search which means that the tasks created by Multi-Mailbox Search will use the current infrastructure in place to perform searches. Besides just using keywords the administrator can use the AQS (Advanced Query Syntax) to find information which has been used by Windows Search, Outlook 2007 and Outlook 2010 to find items.

Before moving forward on the technical side of how to use the feature, we should be aware of a couple key points related of this feature:

  • It is an Exchange Server 2010 feature and it won’t discover content on Mailboxes hosted in any other version other than Exchange Server 2010
  • There is a limit of 25,000 mailboxes that can be searched in a single search
  • The search process relies on Exchange data which includes Mailbox and Archive content only however, PSTs are not searchable by this feature.

This article series will be based in a simple scenario where our company has a single Active Directory domain/forest and several locations around the world and each location has an Organization Unit containing all objects related to each location. We are also going to use a mailbox called legal to perform all mailbox-searches in our proposed scenarios for this series.

A last word about the Multi-mailbox Search feature is that as an Exchange Administrator you can take advantage and combine this feature with many of the other features available on the product to help your business. Such as: Archive, Group Policy to restrict PST usage or restrict data move from your organization to a PST, PST Capture Tool, Journal, Transport Rules, Legal Hold, Audit etc. During this article series we will be going over some of these additional features to provide examples of how you can use them in conjunction with Multi-mailbox Search in your organization.

Assigning permissions to a regular user…

First of all, let’s create our legal mailbox and we can do that by either using Exchange Management Console or Exchange Management Shell (Figure 01). It is going to be a regular mailbox and in some companies you may want to use a mailbox from an existent person that requires the rights to perform searches. If that is your case you can skip the user mailbox creation and go straight to the permissions.


Figure 01: Creating a mailbox to be used to search mailboxes

Since we have an account, now we need to grant permissions and in order to do that we can use ECP (Exchange Control Panel). The privilege required is that the account belongs to the Organization Management role.

In order to allow any mailbox to search content in an organization, that mailbox must be part of the Discovery Management group which by default is empty and, because any user added to that group is able to search data on all mailboxes of an organization, that raises a security concern. A best practice is to make that group very secure and any group membership changes should be audited carefully. If you use System Center Operations Manager you can configure alerts to send you a notification every time that a group membership occurs and that would be useful in this case.

Logged as Administrator in Outlook Web Access, or using Exchange Management Console, click on Toolbox and then click on Role Based Access Control (RBAC) User Editor, as shown in Figure 02. Type in your Organization Management credentials (in this tutorial we will be using the administrator account).


Figure 02: Finding the Role Based Access Control (RBAC) User Editor item on the Toolbox

Because we used the Exchange Management Console instead of Exchange Control Panel we will be going straight to the Roles & Auditing item, and then Administrator Roles option as shown in Figure 03. Let’s double click on the Discovery Management role group.


Figure 03: Roles & Auditing

In the Discovery Management role group properties page we can define a scope, roles and members however, this is a built-in Role Group so I would recommend not messing that up. If you need more restrictions I would suggest copying the current one and then applying changes on the new one. We will be doing that in this article series. For now, let’s go to the Members section and click Add… and select our mailbox legal from the list, and click OK and Save.


Figure 04: Modifying the built-in Role Group Discovery Management using ECP

After saving, we can click on the Discovery Management item from the list and on the right side we will have a summary of the Role Group and the mailbox legal that we have just added. If it does not show up there, go back to the properties of the Role Group and make sure that you add the account to the Role Group.


In this first article we have just covered the basics of the Multi-Mailbox Search and how to enable the feature to a regular user. In our next article we will be covering the feature options and performing our first Multi-Mailbox Search request.


If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top