Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune
  • Home
  • General
  • Exchange 2010 E-Discovery (Multi-Mailbox Search)

Exchange 2010 E-Discovery (Multi-Mailbox Search)

Amit Tank [MVP – Exchange Server]

Amit Tank [MVP – Exchange Server] Photo

Amit Tank is an MVP in Exchange Server and Microsoft Certified Professional in MCITP, MCTS, MCSA and MCP. He has more than 6 years of experience in IT industry.

Cast your Vote
Poor Excellent

With mailboxes full of business critical information, e-discovery is another significant advancement in Exchange 2010. It can be used by administrators on troubleshooting issues, by auditors during compliance audits or by lawyers in legal matters. Exchange 2010 came up with a seamless in-built solution.

In Exchange 2007, we have to use the Export-Mailbox cmdlet or 3rd party tools to search and export content from multiple mailboxes. As discussed in Replacing ExMerge by Import-Mailbox and Export-Mailbox, the Export-Mailbox cmdlet has various pre-requisites that include the need for the Exchange Management Tools, 32-bit OS platform, Outlook, full mailbox access on all mailboxes etc. It scans mailboxes using the MAPI library, something that takes an extensive amount of time. This is even less effective when we working against thousands of mailboxes.

Exchange 2010 provides a simpler, user friendly web-based interface to perform Multi-Mailbox search. You may now delegate the Multi-Mailbox search task to end-users without providing them with elevated rights. This gives you peace of mind that users won't be able to make any configuration changes on the Exchange Server. Multi-Mailbox Search uses the same index catalog created by the Exchange Search engine. Thus it is faster and at the same time less demanding on resources.

All you have to do is to assign the RBAC permission to the user who needs to carry out the Multi-Mailbox search operation.

Discovery Management RBAC Role

Members of the "Discovery Management" role group can perform two operations.

  1. Multi-Mailbox Search - Members can perform discovery searches across the organization.

  2. Legal Hold - Members can put any mailbox in Legal Hold.

The Discovery Management role group has no members by default on installing Exchange 2010, not even Exchange Administrators. So initially no one has permission to use this functionality.

It requires giving permission explicitly to the authorized person by adding the user id to this group using the cmdlet:
Add-RoleGroupMember -Identity "Discovery Management" -Member User

Before discussing further discovery searches, let's point out some important facts.

The Discovery Mailbox

The Discovery Mailbox is a special type of mailbox in Exchange 2010. The results of a multi-mailbox search may contain sensitive information, thus we need to store it at a safe and secure location. The discovery mailbox is the repository for search results and the related content.

The Discovery Mailbox is more secure since:

  1. The user account associated with the Discovery Mailbox is disabled by default.

  2. By default, the Exchange server installation creates a discovery mailbox with display name "Discovery Search Mailbox". Members of the Discovery Management group have full mailbox access to this.

  3. Nobody has mailbox access permission on a newly created Discovery Mailbox. The Administrator has to give Full Mailbox permission explicitly to authorized users.

  4. To store large amounts of search results, 50GB of mailbox storage quota is assigned to Discovery Mailboxes on creation.

  5. Delivery restriction is set on a Discovery Mailbox, so as not to accept any email delivery. In this manner it preserves the integrity of search results.

  6. The Exchange Control Panel, Multi-Mailbox search wizard allows only Discovery Mailboxes to store search results. This is why it only shows a short list of mailboxes on selecting the target mailbox. This prevents human errors, like storing search result in a non-secure or a normal user mailbox.

We can create a discovery mailbox from the Exchange Management Shell using -Discovery parameter of the New-Mailbox cmdlet:
New-Mailbox -Name "Legal Discovery" -UserPrincipalName "LegalDiscovery@domain.com" -Discovery

Legal Hold

With the help of Dumpster 2.0, Exchange 2010 allows us to preserver users' deleted and edited items of any mailbox under legal hold. Normally this deleted/edited content is not visible to end-users or administrators, but Multi-Mailbox searches can look up this information as well.

We can set legal hold on any mailbox using the cmdlet that follows.
Set-Mailbox user@domain.com -LitigationHoldEnabled $true

NOTE: The legal hold also applies on the Archive mailbox if it is enabled for the user mailbox.

Exchange Control Panel Discovery Search

We can create a search request using two different methods in Exchange 2010. The first method is the Exchange Control Panel (ECP).

The web based ECP interface, is the easiest way for non-technical users to execute a Multi-Mailbox Search. From his browser a user can open the ECP and click on the Mailbox Searches tab available under Reporting at the navigation pane.

Exchange Control Panel Multi Mailbox Search

Users can create new search requests with the help of various options.

Keywords

A user can specify keywords or phrases with logical operators like AND, OR, and NOT and wildcard to search the content. It is advisable to use double quote on searching phrases. User can also use Advance Query Syntax (AQS) to define keywords.

The option "Include items that can't be searched" allows hunting encrypted attachments and message types with an unknown format. For this feature, search must be enabled on Information Rights Management protected content. This is done using the cmdlet:
Set-IRMConfiguration -SearchEnabled $True

Users may also select message types to narrow down the result.

Multi-Mailbox Search Keywords

Messages To and From Specific E-mail Addresses
Select specific senders or recipients from the Global Address List.

Date Range
Define date range to search the needed content.

Mailboxes to Search
Select the mailbox(s) whose content is to be searched.

Search Name and Storage Location
Specify an identifying name to the search and the location to store the search result to. The Wizard here only shows discovery mailboxes for result storage.

Users may also select an option to receive an email notification when the search task is completed and an option to enable full logging. Full logging stores detailed information about search results in a CSV file and is saved to the target discovery mailbox search result folder.

Discovery Mailbox

Users can create multiple search requests simultaneously.

Results of the Multi-Mailbox search will be stored to the target Discovery mailbox with the search name as a sub-folder to the Inbox.

E-Discovery Search Results

Exchange Management Shell Discovery Search

An administrator or technical user can also perform Multi-Mailbox search through EMS cmdlet New-MailboxSearch.

Below is an example to search "Weekend" and "Outage" words in email type content of a mailbox "Amit Tank", for the date range starting from 1/1/2009 to 12/31/2009 and includes unsearchable items.
New-MailboxSearch -Name "WeekendOutage-Search" -StartDate "1/1/2009" -EndDate "12/31/2009" -SourceMailboxes "Amit Tank" -TargetMailbox "Discovery Search Mailbox" -SearchQuery '"Weekend" and "Outage"' -MessageTypes Email -IncludeUnsearchableItems -LogLevel Full

New-MailboxSearch cmdlet

Conclusion

In Exchange 2010, the combination of Archive Mailbox and Multi-Mailbox search eliminates the need for expensive third party tools to satisfy compliance requirements. This allows small and medium organizations to move towards the creation of compliance policies. Once again Exchange is providing a clear cost cutting opportunity.

References

Understanding Multi-Mailbox Search

Multi-Mailbox Search for Outlook Live

User Comments - Page 1 of 1

Jose Byron Gonzalez 31 Mar 2016 16:41
Is it possible to audit discovery searches? As in how many were performed, by who and when? Can't find anything about it. Please note I am not asking about mailbox auditing (although now that I think of it, it may be one way to go if ran against the discovery mailbox, right?) but I was asked to confirm whether this can be done and how, specifically.

Many thanks for a great article.
Tony Chaney 30 May 2012 08:25
Great article - REQUEST: I am having trouble giving access to this mailbox and opening it as a user. I am trying to use this as a "Public Records Request" solution. Is there a better way? Or can you provide a brief article on how to give permission to open the discoverysearchmailbox in owa as a user?
Mick 18 Jan 2012 14:25
I tried this but don't see the 'mailbox searches' button. O added the account to the discovery management group, but I still only have 'delivery reports' under reporting. Anybody got any ideas?
Mark Hickson 23 Jun 2011 05:28
Great article! Very well thought out and structured, all the key points with detail and reasoning behind changes made and new features added. Thanks!
Terry 31 Aug 2010 20:26
I would like to know what is the difference between Search-Mailbox and New-MailboxSearch cmdlets?
Amit Tank 17 Jun 2010 11:10
Hi Taranjeet,

When search is completed, you can see a link for DiscoveryMailbox OWA in the result pane of same page (ECP -> My Organization -> Reporting -> Mailbox Searches).

Alternatively you can open Discovery Mailbox in OWA with below address.
https://domain.com/<discoverymailboxsmtpaddress>

Regards,
Amit
Taranjeet 16 Jun 2010 00:19
Hi Amit,

In the screenshot I can see that the search results are displayed in the Discovery Mailbox's OWA. My question is how can you access the Discovery Mailbox.

Did you reset the password of the discovery mailbox user and then tried logging in, also b y default the user account is disabled for this user.

I also created a new discovery mailbox using EMS and as the MS documentation says, delegated permissions of that Discovery Mailbox to a user. When I open the Discovery Mailbox from OWA/Outlook of the user, it shows no results.

Help is appreciated.

Regards
Taranjeet Singh
Gary Grudzinskas 5 May 2010 17:08
Thanks for the how-to on this page. Well done.
Raman 12 Jan 2010 17:23
Excellent article, Amit.

Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation