If you would like to read the other parts in this article series please go to:
Managing Discovery Mailboxes…
Every time that we create a new Multi-Mailbox Search a new folder will be created in the designated Discovery Mailbox, and the data will be accessible to any user that has permission to that Discovery Mailbox. If you have a team of 5 HR consultants working on different cases in your company, you may not be allowed to give them access to the same Discovery Mailbox, since they will be sharing the same repository and be able to read information from different queries.
For these kind of situations, Discovery Mailboxes can be created through Exchange Management Shell (there is no such option using Exchange Management Console) and the following syntax can be used:
New-Mailbox <Name> -UserPrincipalName [email protected] -Discovery
The results of the operation can be seen in Figure 01 below. It creates a disabled account and a password won’t be required during the creation process.
Figure 01
In order to remove a Discovery Mailbox from the Organization we can always use Remove-Mailbox cmdlet or we can use the Exchange Management Console by right clicking on the desired account, and click Disable/Remove like any regular mailbox.
As a result of our operation we can see the new Discovery Mailbox being listed during a new Search task as shown in Figure 02.
Figure 02
Let’s say that now that we know how to manage Discovery Mailboxes we decided to use that for each person that wants to perform a Search. In our case, we asked the Legal mailbox to start using the Discovery.Legal Discovery Mailbox and then our legal user goes for another search and everything works like a charm. However, when the user tries to open the results he receives an error message “You don’t have permission to open this mailbox”, and trust me that is a common error. The reason of that error message is due the fact that when we create a new Discovery Mailbox the Full Access permission is only given to the Exchange Servers, Exchange Trusted Subsystem groups, the built-in Self and System accounts and none of them help our Legal mailbox. So, for any new Discovery Mailbox you must give Full Access permissions to the user that will be responsible to look into the content, as shown in Figure 03.
Figure 03
Managing Multi-Mailbox Search using Exchange Management Shell…
We can allow end-users to manage their Mailbox Search requests using the Exchange Control Panel, however, using the Exchange Management Shell we can manage the Search Mailbox requests using the advantages of PowerShell. There are also a few settings that can be only done at the Exchange Management Shell level, such as: disable the search on the Dumpster or remove archive from the search process.
In order to list all Mailbox Search tasks we can run the following cmdlet Get-MailboxSearch and by default all Mailbox Search requests and its attributes will be listed. All information that we have configured using the Exchange Control Panel and more will be accessible through the Exchange Management Shell, as shown in Figure 04.
Figure 04
There are three (3) cmdlets to help you manage the Mailbox Search tasks and these are Get-MailboxSearch that we have just seen in the previous image. New-MailboxSearch which uses most of the parameters that we saw in the first two articles of this series, and Remove-MailboxSearch which removes an existent Mailbox Search Request.
We also have an extra three (3) cmdlets to manage the Search Mailbox tasks which are: Set-MailboxSearch which allows changing some parameters of an existent Multi- Mailbox Search request, and Start-MailboxSearch and Stop-MailboxSearch which are responsible to control the search process.
Restricting the mailboxes to be searched…
Let’s say that you have a scenario where you must allow an Auditor to Search content of a few users but unfortunately you cannot run the Search for him. The account to perform the Search will be the same Legal mailbox and we are going to restrict everything to a single Organization Unit called MVD (which is the stand for Uruguay’s capital Montevideo). The Discovery Mailbox will be the same that we used previously which is called Discovery.Legal.
In order to be very restrictive let’s log on to the Exchange Control Panel using Organization Management rights, and let’s go to Manage My Organization, click Roles & Auditing, then click Administrator Roles, and select Discovery Management from the list. Then click Copy and let’s restrict the new Role Group as shown in figure 05. First of all, let’s call the new group as Discovery-Restricted; next step is to restrict the scope just to MVD Organization Unit, by typing in apatricio.local/MVD in the write scope section; next step is to remove Legal Hold from the Roles list after all we want that account just performing a search and nothing else; and finally, let’s add our user Legal to the list of member of this new role.
Figure 05
If the legal mailbox try to perform a search and the Discovery.Legal is outside of the scope that we have just defined here, the error message during the Search creation process will be something similar to this:
“You don’t have sufficient permissions to search the mailbox “domain.local/Users/Discovery.legal because it’s outside the scope of mailboxes you can search. To get permissions contact your administrator”. In this situation we should move the Discovery.Legal mailbox to the same OU that we restricted the search during the RBAC Role Group creation.
By restricting the RBAC Role Group to an Organization Unit, and by placing all mailboxes to be searched and Discovery Mailbox in the same place, you can secure the scope of the search that will be performed by a regular user.
Let’s say that we have configured everything for our Legal using the previous steps and we have explained to him that he is in a restricted environment. Then he should use just Discovery.Legal to save the results of his Search however, the Legal mailbox went there and selected the option Search all mailboxes. After running the search the result will show as Search partially succeeded and the reason is that he was trying to search mailboxes outside of his scope, as shown in Figure 06. We can look at the right hand side and any mailbox that is not part of the OU will have an error. The same information will be provided in the summary message sent to the legal mailbox.
Figure 06
If the user does the same search however, using just the mailboxes from the Organization Unit that is defined in the scope of the Role Group, then the user will have a Search Succeeded result.
Conclusion
In this article we covered the Exchange Management Shell to manage a Multi-Mailbox Search request, how to create new Discovery Mailboxes and validated a common scenario where a restriction may be required.
If you would like to read the other parts in this article series please go to:
