recovering deleted mail items using powershell cmdlets search-mailbox | 7#7
DESCRIPTION
Recovering deleted mail items using PowerShell cmdlets Search-Mailbox | 7#7 http://o365info.com/recovering-deleted-mail-items-using-powershell-cmdlets-search-mailbox-part-7-7 In the current article, we will review the use of the PowerShell cmdlets Search-Mailbox that we can use for searching and recovering specific mail items. The PowerShell cmdlets Search-Mailbox is the “older sister” of the newer PowerShell cmdlets New-MailboxSearch. Booth of this PowerShell cmdlets, was designed for providing the Exchange administrator the powerful capability of creating a multiple mailbox search + the ability to copy (recover) the search result to “other store” such as the Discovery Search Mailbox or any other Exchange mailbox. Eyal Doron | o365info.comTRANSCRIPT
Page 1 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Recovering deleted mail items using
PowerShell cmdlets Search-Mailbox |
7#7
In the current article, we will review the use of the PowerShell cmdlets
Search-Mailbox that we can use for searching and recovering specific mail items.
The PowerShell cmdlets Search-Mailbox is the “older sister” of the newer
PowerShell cmdlets New-MailboxSearch.
Booth of this PowerShell cmdlets, was designed for providing the Exchange
administrator the powerful capability of creating a multiple mailbox search + the
Page 2 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
ability to copy (recover) the search result to “other store” such as the Discovery
Search Mailbox or any other Exchange mailbox.
A little bit history
The ability to perform multiple mailbox search was first presented in Exchange
2010. This ability was based on the PowerShell cmdlets – Search-Mailbox
In Exchange 2013 the term – “Multiple mailbox search” was replaced by the term –
in-place eDiscovery & hold.
The in-place eDiscovery & hold infrastructure include more capabilities and
features, and it’s based on a new PowerShell cmdlets named-
New-MailboxSearch.
In other words, we can say that the Exchange in-place eDiscovery & hold
management interface is the graphical interface for the PowerShell cmdlets
New-MailboxSearch.
Because the New-MailboxSearch is “newer” or more advanced, logically we can
assume that these PowerShell cmdlets include all of the capabilities of the “former”
PowerShell cmdlets –Search-Mailbox + new capabilities.
This assumption is partially correct because the Interesting thing is that the “older”
PowerShell cmdlets Search-Mailbox, still has capabilities that are not available in
the newer PowerShell cmdlets New-MailboxSearch.
The abilities that are included in the PowerShell cmdlets Search-Mailbox and
doesn’t include in the newer PowerShell cmdlets New-MailboxSearch) are:
Page 3 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
1. Search and delete (search and destroyed)
This ability referred sometimes as “search and destroy”. The part of “searching”
multiple Exchange mailboxes is the first part. The second part is –“what to do with
the search results?”.
When using the PowerShell cmdlets Search-Mailbox we can decide to delete the
search results instead of copy or recovering the search results.
If the option of “delete mail items” based upon the search result seems strange to
you, consider a scenario in which your organization was infected by a virus that was
sent via the mail systems to the different organization recipient.
You want to be able to find all the recipients that got the infected mail + delete the
mail items that are infected by the virus.
Note – in the current article, we will not review the option of using the PowerShell
cmdlets Search-Mailbox for deleting mail items.
2. Search scope – folder based
An Interesting capability of the PowerShell cmdlets Search-Mailbox is the ability
to define a specific mailbox folder as a parameter for the search.
This ability can be implemented using the standard mailbox folder such as – inbox
folder, sent items and so on and in addition; we can define the Recoverable Items
folder as a parameter of the search scope.
In other words, the PowerShell cmdlets Search-Mailbox enables us to restrict the
search only to the Recoverable Items folder and recovered (copy) the mail items in
this folder.
This option is very useful in a “recover mail scenarios” because in this case, we don’t
need to search and recover the “standard mailbox content, but instead, only mail
items located in the Recoverable Items folder.
Page 4 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Recovering mail items using Search-Mailbox PowerShell
cmdlets | A two-stage process
Before we start with reviewing the specific syntax of the PowerShell
cmdlets Search-Mailbox it’s important to understand the logic and the structure
of this command.
The “flow” that is implemented by the PowerShell cmdlets Search-
Mailbox consisting of two phases:
Phase 1 – in this phase the Search-Mailbox command access the mailbox\s that
we have specified and start to look for mail items that “answers” the search query
parameters that we have to defend.
Page 5 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Phase 2 – in this phase the Search-Mailbox command “fetch” the search results
(mail items) and copy them to the “destination mailbox”.
The “destination mailbox” could be the Exchange system Discovery Search mailbox
or any other mailbox that we choose.
Page 6 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The four Search-Mailbox mandatory parameters
When using the PowerShell cmdlets Search-Mailbox, we will have to define four
mandatory parameters:
1. The mailbox or the mailboxes that want to search – we need to specify at
least one mailbox as the “source mailbox”.
2. The search query parameters – the search parameter can be very simple or
very complicated, we can choose to restrict the search based of date range,
specific keywords, specific folder, etc.
3. The “destination mailbox” – this is the mailbox that will serve as a “container”
for the copy of the mail items that form the search results.
4. The folder name who will “host” the copy of the search results – we need to
specify a name who will be used for the folder that will contain the copy of
the search results.
Page 7 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Required permissions for using the Exchange PowerShell
cmdlets – Search-Mailbox
Using the Search-Mailbox cmdlets enable the user who performs the search
(Exchange administrator or the user with the required permissions) to search and
view users data located at their mailboxes.
To be able to have this “ability” there is a need to assign the required permission to
the user who will use the
You need to be assigned the following management roles to search for and delete
messages in users’ mailboxes:
Mailbox Search – This role allows you to search for messages across multiple
mailboxes in your organization. Administrators aren’t assigned this role by
default. To assign yourself this role so that you can search mailboxes, add
yourself as a member of the Discovery Management role group. See Assign
eDiscovery permissions in Exchange.
Mailbox Import Export – This role allows you to delete messages from a user’s
mailbox. By default, this role isn’t assigned to any role group. To delete messages
from users’ mailboxes, you can add the Mailbox Import Export role to the
Organization Management role group. For more information, see the “Add a role
to a role group” section in Manage role groups .
Page 8 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
[Source of information – Search and delete messages]
Using the Search-Mailbox cmdlets scenarios
To demonstrate the different possibilities of using the Search-Mailbox cmdlets, we
will review a couple of optional scenarios.
Scenario 1
Scenario description:
We want to search and recover a mail item that answers the following parameters:
Mail items that are stored in a specific Exchange user mailbox.
Mail items that are stored in the Recoverable Items
folder (SearchDumpsterOnly).
In addition, create a detailed Log (LogLevel Full).
Copy mail items from the Recoverable Items folder to – Discovery
Search Mailbox
PowerShell command Syntax
PowerShell
Search-Mailbox <Identity> -SearchDumpsterOnly -TargetMailbox
<Destination mailbox> -TargetFolder <Folder name> -LogLevel Full
PowerShell command Example
PowerShell
Search-Mailbox John -SearchDumpsterOnly -TargetMailbox "Discovery
Search Mailbox" -TargetFolder <John recovered mail> -LogLevel Full
Scenario 2
Scenario description:
We don’t wish to recover mail items but instead, we just want to get a detailed
Page 9 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
report about all the mail items that reside in the Recoverable Items folder
We want to search (but not to recover) mail items that answer the following
parameters:
Mail items that are stored in a specific Exchange user mailbox.
Mail items that are stored in the Recoverable Items
folder (SearchDumpsterOnly).
Provide a report about deleted mail items
PowerShell command Syntax
PowerShell
Search-Mailbox <Identity> -SearchDumpsterOnly -TargetMailbox
<Destination mailbox> -TargetFolder <Folder name> -LogLevel Full -
LogOnly
PowerShell command Example
PowerShell
Search-Mailbox John -SearchDumpsterOnly -TargetMailbox “Discovery
Search Mailbox”-TargetFolder “David Deleted mail items” -LogLevel
Full -LogOnly
Scenario 3
Scenario description:
We want to search and recover mail items that answer the following parameters:
Mail items that are stored in all of the Exchange user mailboxes (Bulk search).
Mail items that are stored in the Recoverable Items
folder (SearchDumpsterOnly).
Recover deleted mail items form all user mailboxes (bulk mode)
PowerShell command Syntax
Page 10 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
PowerShell
Get-Mailbox -ResultSize Unlimited |Search-Mailbox -
SearchDumpsterOnly -TargetMailbox <Destination mailbox> -
TargetFolder <Folder name> -LogLevel Full
PowerShell command Example
PowerShell
Get-Mailbox -ResultSize Unlimited | Search-Mailbox -
SearchDumpsterOnly -TargetMailbox “Discovery Search Mailbox” -
TargetFolder “All users Deleted mail items” -LogLevel Full
Scenario 4
Scenario description:
We want to search and recover mail items that answer the following parameters:
Mail items that are stored in a specific Exchange user mailbox.
A specific mail items – only calendar mail items
Mail items that are stored in the Recoverable Items
folder (SearchDumpsterOnly).
Recover only deleted calendar mail items
PowerShell command Syntax
PowerShell
Search-Mailbox <Identity> -SearchDumpsterOnly -SearchQuery
“Kind:<Mail Type>" -TargetMailbox <Destination mailbox> -
TargetFolder <Folder name> -LogLevel Full
PowerShell command Example
PowerShell
Page 11 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Search-Mailbox John -SearchDumpsterOnly -SearchQuery
“Kind:meetings" -TargetMailbox “Discovery Search Mailbox” -
TargetFolder “John calendar items” -LogLevel Full
Scenario 5
Scenario description:
We want to search and recover mail items that answer the following parameters:
Mail items that are stored in a specific Exchange user mailbox.
Mail items that include a specific text string
Recover only deleted mail items that include a specific text (mail
body or subject)
PowerShell command Syntax
PowerShell
Search-Mailbox <Identity> -SearchQuery “<Text String>” -
TargetMailbox <Destination mailbox> -TargetFolder <Folder name> -
LogLevel Full
PowerShell command Example
PowerShell
Search-Mailbox John -SearchQuery “call me ASAP” -TargetMailbox
“Discovery Search Mailbox” -TargetFolder “John mail items” -
LogLevel Full
Scenario 6
Scenario description:
We want to search and recover a mail item that answers the following parameters:
Mail items that are stored in a specific Exchange user mailbox.
Mail items that include a specific text string that appear in the E-mail subject.
Page 12 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Recover only deleted mail items that include a specific text in mail
subject
PowerShell command Syntax
PowerShell
Search-Mailbox <Identity> -SearchQuery 'Subject:"<Txt String>"' -
TargetMailbox <Destination mailbox> -TargetFolder <Folder name> -
LogLevel Full
PowerShell command Example
PowerShell
Search-Mailbox John -SearchQuery 'Subject:"call me ASAP"' -
TargetMailbox “Discovery Search Mailbox” -TargetFolder “John mail
items” -LogLevel Full
Scenario 7
Scenario description:
We want to search and recover mail items that answer the following parameters:
Mail items that are stored in a specific Exchange user mailbox.
Mail items that were sent on a specific date range.
Recover deleted mail items from a specific date range
PowerShell command Syntax
PowerShell
Search-Mailbox <Identity> SearchQuery '(sent:
sent:dd/mm/yy..dd/mm/yy)' -TargetMailbox <Destination mailbox> -
TargetFolder <Folder name> -LogLevel Full
PowerShell command Example
Page 13 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
PowerShell
Search-Mailbox SearchQuery '(sent: 09/1/2015.. 09/10/2015)' -
TargetMailbox -TargetFolder -LogLevel Full
Additional consideration related to the use of the
Search-Mailbox command
1. Assign Full access permission to the Discovery Search-Mailbox
in case that we want to look into the content of the Discovery Search-Mailbox by
using the Outlook mail client, we will need to Assign Full access permission to
the Discovery Search-Mailbox.
Recover only deleted calendar mail items
PowerShell command Syntax
PowerShell
Add-MailboxPermission "<Destination Mailbox>" -User <Identity> -
AccessRights FullAccess -InheritanceType all -Automapping $False
PowerShell command Example
PowerShell
Add-MailboxPermission "Discovery Search Mailbox" -User John -
AccessRights FullAccess -InheritanceType all -Automapping $False
2. Assign the required permission for using the PowerShell cmdlets
Search-Mailbox
To be able to use the PowerShell cmdlets Search-Mailbox, we will need to assign
the required permission to the user account that will use the PowerShell
cmdlets Search-Mailbox
We will need to enable the following permissions:
Page 14 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Add a user to the Discovery Management role group and assign the user account
the Mailbox Import Export role
Add user to the Discovery Management group
PowerShell command Syntax
PowerShell
Add-RoleGroupMember -Identity "Discovery Management" -Member
<Identity>
PowerShell command Example
PowerShell
Add-RoleGroupMember -Identity "Discovery Management" -Member John
Assign a user “Mailbox Import Export” permission
PowerShell command Syntax
PowerShell
New-ManagementRoleAssignment –Role “Mailbox Import Export” –User
<Identity>
PowerShell command Example
PowerShell
New-ManagementRoleAssignment –Role “Mailbox Import Export” –User
John
3. Create a new discovery mailbox
Exchange Online provides a default mailbox that will serve as the container for the
search result, the Discovery Search-Mailbox mailbox.
Page 15 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In case that we want to create an additional “Discovery Search-Mailbox mailbox” we
can use a PowerShell command for creating this additional mailbox.
Create a new discovery mailbox
PowerShell command Syntax
PowerShell
New-Mailbox -Name <name> -Discovery
PowerShell command Example
PowerShell
New-Mailbox -Name “New Discovery” -Discovery
For your convenience, I have “Wrapped” all the PowerShell commands that were
reviewed in a PowerShell Script named:
Recover_Delted_Mail.PS1
You are welcome to download the script and use it.
Additional reading
Search-Mailbox
Search and delete messages
Page 16 of 16 | Recovering deleted mail items using PowerShell cmdlets Search-Mailbox |
7#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015