You have to be assigned the following roles to search for and delete messages in users' mailboxes:
- Mailbox Search This role allows you to search for messages across multiple mailboxes in your organization. Administrators aren't assigned this role by default. To search multiple mailboxes, add yourself as a member of the Discovery Management role group. See Add or Remove Role Group Members.
- Mailbox Import Export This role allows you to delete messages from a user's mailbox. This role isn't assigned to administrators by default. To delete messages from users' mailboxes, add the Mailbox Import Export role to the Organization Management role group. See Edit Role Group Properties.
Collect information for the search query
You need to obtain and review a few copies of the infected or inappropriate message so you can create a search query that will find it.
Search and delete options
You can use the Search-Mailbox cmdlet with the DeleteContent parameter to search for and delete messages in one step. However, when you do this, you can't preview the search results or generate a log that records which messages were returned by the search. This means you won't know which messages were deleted.
A better option is to first run the Search-Mailbox cmdlet with the LogOnly parameter. This command generates a log that contains information about all the results that meet the search criteria but it doesn't delete the messages. This information is provided in a comma-separated value (CSV) file that is attached to an e-mail message sent to the mailbox and folder you define by using the TargetMailbox and TargetFolder parameters with the Search-Mailbox cmdlet. After you review the log, you can refine the search criteria and rerun a log-only search as needed, or run the search with the DeleteContent parameter.
A third option is to first copy the offending message before you delete it from the user's mailbox so you can access it later if necessary. Do this by including the TargetMailbox and TargetFolder parameters in the command that you run to delete the message.
Search for messages and log the search results
Let's walk through some examples of what you can do with the Search-Mailbox cmdlet. For a list of the message properties that you can include in the value for the SearchQuery parameter, see E-mail message properties to search.
Search a single mailbox
The following command searches a specific mailbox in your organization for messages with a specific value in the Subject line and then sends a message with the results to the target mailbox. Messages aren't deleted from the mailbox that is searched.
Search-Mailbox -Identity <name> -SearchQuery subject:"<verbatim subject line>" -TargetMailbox <name of mailbox> -TargetFolder <name of folder> -LogOnly -LogLevel Full
Example The following command searches Pilar Pinilla's mailbox for messages that have the phraseDownload this file in the Subject field and logs the search results in the SearchLogs folder in the administrator's mailbox.
Search all mailboxes
The following command searches all mailboxes in your organization for messages that have a specific file attached and then sends a message with the results to the target mailbox. Messages aren't deleted from the mailboxes searched.
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment:<filename> -TargetMailbox <name of mailbox> -TargetFolder <name of folder> -LogOnly -LogLevel Full
Example The following command searches all mailboxes for messages that have any type of attached file named Trojan and sends a log message to the administrator's mailbox.
Search for and delete messages
The following command searches all mailboxes and deletes any message that has specific text in the Subject line:
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:<verbatim subject line> -DeleteContent
Example The following command searches all the mailboxes for messages with the subject line Download this file, and then permanently deletes them.
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:"Download this file" -DeleteContent
Important Before you permanently delete messages, we recommend that you either use the LogOnlyparameter to generate a log of the messages found in the search before they're deleted, or copy the messages to another mailbox before deleting them from the source mailbox.
Copy a message before deleting it
The following command searches all mailboxes for any message that has specific text in the Subject line, copies the actual search results to a folder, and then deletes all the messages that meet the search criteria.
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:<verbatim subject line> -TargetMailbox <name of mailbox> -TargetFolder <name of folder> -DeleteContent
Example The following command searches all mailboxes for messages with the subject line Download this file, copies the search results to the DeletedMessages folder in the administrator's mailbox, and then permanently deletes the messages from users' mailboxes.
E-mail message properties to search
The following table lists common message properties that you can include in the value for the SearchQueryparameter.
| Property | Example | Search results |
|---|---|---|
Attachments
|
attachment:annualreport.ppt
|
Messages that have an attachment that is named annualreport.ppt. The use of attachment:annualreport or attachment:annual* returns the same results as using the full name of the attachment.
|
Cc
|
cc:"gurinder singh"
cc:gurinders
cc: gurinders@fineartschool.edu
|
Messages with Gurinder Singh in the Cc field
|
From
|
from:"Max Stevens"
from:maxs
from:maxs@contoso.com
|
Messages sent by Max Stevens
|
Sent
|
sent:10/19/2010
|
Messages that were sent on October 19, 2010
|
Subject
|
subject:"Quarterly Financials"
|
Messages that contain the exact phrase "Quarterly Financials" in the subject line
|
To
|
to:"Judy Lew"
to:judyl
to:judyl@contoso.com
|
Messages sent to Judy Lew
|
Good tips for an Exchange admin to keep handy!
ReplyDelete