Recovering deleted mail items using PowerShell cmdlets Search-Mailbox | 7#7 5/5 (1) 12 min read

In the current article, we will review the use of the PowerShell cmdlets
Search-Mailbox that we can use for searching and recovering specific mail items.
The PowerShell cmdlets Search-Mailbox is the “older sister” of the newer PowerShell cmdlets New-MailboxSearch.
Booth of this PowerShell cmdlets was designed for providing the Exchange administrator the robust capability of creating a multiple mailbox search + the ability to copy (recover) the search result to “other store” such as the Discovery Search Mailbox or any other Exchange mailbox.

A little bit history

The ability to perform multiple mailbox search was first presented in Exchange 2010. This ability was based on the PowerShell cmdlets – Search-Mailbox

In Exchange 2013 the term – “Multiple mailbox search” was replaced by the term – in-place eDiscovery & hold.

The in-place eDiscovery & hold infrastructure include more capabilities and features, and it’s based on a new PowerShell cmdlets named-
New-MailboxSearch.

In other words, we can say that the Exchange in-place eDiscovery & hold management interface is the graphical interface for the PowerShell cmdlets
New-MailboxSearch.

Exchange search and recover PowerShell cmdlets

Because the New-MailboxSearch is “newer” or more advanced, logically we can assume that these PowerShell cmdlets include all of the capabilities of the “former” PowerShell cmdlets – Search-Mailbox + new capabilities.

This assumption is partially correct because the Interesting thing is that the “older” PowerShell cmdlets Search-Mailbox, still has capabilities that are not available in the newer PowerShell cmdlets New-MailboxSearch.

The abilities that are included in the PowerShell cmdlets Search-Mailbox and doesn’t include in the newer PowerShell cmdlets New-MailboxSearch) are:
1. Search and delete (search and destroyed)

This ability sometimes referred as “search and destroy”. The part of “searching” multiple Exchange mailboxes is the first part. The second part is –“what to do with the search results?”.
When using the PowerShell cmdlets Search-Mailbox we can decide to delete the search results instead of copy or recovering the search results.

If the option of “delete mail items” based on the search result seems strange to you, consider a scenario in which your organization infected by a virus that sent via the mail systems to the different organization recipient.

You want to be able to find all the recipients that got the infected mail + delete the mail items that are infected by the virus.

Note – in the current article, we will not review the option of using the PowerShell cmdlets Search-Mailbox for deleting mail items.

2. Search scope – folder based

An Interesting capability of the PowerShell cmdlets Search-Mailbox is the ability to define a specific mailbox folder as a parameter for the search.

This ability can be implemented using the standard mailbox folder such as – inbox folder, sent items and so on and also; we can define the Recoverable Items folder as a parameter of the search scope.

In other words, the PowerShell cmdlets Search-Mailbox enables us to restrict the search only to the Recoverable Items folder and recovered (copy) the mail items in this folder.

This option is very useful in a “recover mail scenarios” because, in this case, we don’t need to search and recover the “standard mailbox content, but instead, only mail items located in the Recoverable Items folder.

The Search-Mailbox PowerShell cmdlets improve capabilities

Recovering mail items using Search-Mailbox PowerShell cmdlets | A two-stage process

Before we start with reviewing the specific syntax of the PowerShell cmdlets Search-Mailbox it’s important to understand the logic and the structure of this command.
The “flow” that is implemented by the PowerShell cmdlets Search-Mailbox consisting of two phases:
Phase 1 – in this phase the Search-Mailbox command access the mailbox\s that we have specified and start to look for mail items that “answers” the search query parameters that we have to defend.

Recovering mail items using Search-Mailbox PowerShell cmdlets - A two-stage process 01

Phase 2 – in this phase the Search-Mailbox command “fetch” the search results (mail items) and copy them to the “destination mailbox”.
The “destination mailbox” could be the Exchange system Discovery Search mailbox or any other mailbox that we choose.

Recovering mail items using Search-Mailbox PowerShell cmdlets - A two-stage process 02

The four Search-Mailbox mandatory parameters

When using the PowerShell cmdlets Search-Mailbox, we will have to define four mandatory parameters:

  1. The mailbox or the mailboxes that want to search – we need to specify at least one mailbox as the “source mailbox”.
  2. The search query parameters – the search parameter can be very simple or very complicated, we can choose to restrict the search based of date range, specific keywords, specific folder, etc.
  3. The “destination mailbox” – this is the mailbox that will serve as a “container” for the copy of the mail items that form the search results.
  4. The folder name who will “host” the copy of the search results – we need to specify a name who will be used for the folder that will contain the copy of the search results.

Search-Mailbox mandatory parameters

Required permissions for using the Exchange PowerShell cmdlets – Search-Mailbox

Using the Search-Mailbox cmdlets enable the user who performs the search (Exchange administrator or the user with the required permissions) to search and view users data located at their mailboxes.
To be able to have this “ability” there is a need to assign the required permission to the user who will use the

You need to be assigned the following management roles to search for and delete messages in users’ mailboxes:

  • Mailbox Search – This role allows you to search for messages across multiple mailboxes in your organization. Administrators aren’t assigned this role by default. To assign yourself this role so that you can search mailboxes, add yourself as a member of the Discovery Management role group. See Assign eDiscovery permissions in Exchange.
  • Mailbox Import Export – This role allows you to delete messages from a user’s mailbox. By default, this role isn’t assigned to any role group. To delete messages from users’ mailboxes, you can add the Mailbox Import Export role to the Organization Management role group. For more information, see the “Add a role to a role group” section in Manage role groups .
[Source of information – Search and delete messages]

Using the Search-Mailbox cmdlets scenarios

To demonstrate the different possibilities of using the Search-Mailbox cmdlets, we will review a couple of optional scenarios.

Scenario 1 – Copy mail items from the Recoverable Items folder to – Discovery Search Mailbox

Scenario description:
We want to search and recover mail items that answer the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • Mail items that are stored in the Recoverable Items folder (SearchDumpsterOnly).

In addition, create a detailed Log (LogLevel Full).

Copy mail items from the Recoverable Items folder to – Discovery Search Mailbox

PowerShell command syntax

PowerShell command Example

Scenario 2 – Provide a report about deleted mail items

Scenario description:
We don’t wish to recover mail items but instead, we just want to get a detailed report about all the mail items that reside in the Recoverable Items folder
We want to search (but not to recover) mail items that answer the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • Mail items that are stored in the Recoverable Items folder (SearchDumpsterOnly).

Provide a report about deleted mail items

PowerShell command syntax

PowerShell command Example

Scenario 3 – Recover deleted mail items from all user mailboxes (bulk mode)

Scenario description:
We want to search and recover mail items that answer the following parameters:

  • Mail items that are stored in all of the Exchange user mailboxes (Bulk search).
  • Mail items that are stored in the Recoverable Items folder (SearchDumpsterOnly).

Recover deleted mail items from all user mailboxes (bulk mode)

PowerShell command syntax

PowerShell command Example

Scenario 4 – Recover only deleted calendar mail items

Scenario description:
We want to search and recover mail items that answer the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • A specific mail items – only mail items with a specific attachment
  • Mail items that are stored in the Recoverable Items folder (SearchDumpsterOnly).

Recover only deleted calendar mail items

PowerShell command syntax

PowerShell command Example

Scenario 5 – Recover deleted mail items with a specific attachment

Scenario description:
We want to search and recover mail items that answer the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • A specific mail items – only calendar mail items
  • Mail items that are stored in the Recoverable Items folder (SearchDumpsterOnly).

Recover deleted mail items with a specific attachment

PowerShell command syntax

PowerShell command Example

Scenario 6 – Recover only deleted mail items that include a specific text (mail body or subject)

Scenario description:
We want to search and recover mail items that answer the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • Mail items that include a specific text string.

Recover only deleted mail items that include a specific text (mail body or subject)

PowerShell command syntax

PowerShell command Example

Scenario 7 – Recover only deleted mail items that include a specific text in mail subject

Scenario description:
We want to search and recover a mail item that answers the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • Mail items that include a specific text string that appear in the E-mail subject.

Recover only deleted mail items that include a specific text in mail subject

PowerShell command syntax

PowerShell command Example

Scenario 8 – Recover deleted mail items from a specific date range

Scenario description:
We want to search and recover mail items that answer the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • Mail items that were sent on a specific date range.

Recover deleted mail items from a specific date range

PowerShell command syntax

PowerShell command Example

Scenario 9 – Copy ALL mail items from a specific mailbox to – Discovery Search Mailbox

Scenario description:
We want to search and recover ALL mail item that answers the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • ALL Mail items from a specific mailbox

In addition, create a detailed Log (LogLevel Full).

Copy ALL mail items from a specific mailbox to – Discovery Search Mailbox

PowerShell command syntax

PowerShell command Example

Additional consideration related to the use of the Search-Mailbox command

1. Assign Full access permission to the Discovery Search-Mailbox

in case that we want to look into the content of the Discovery Search-Mailbox by using the Outlook mail client, we will need to Assign Full access permission to the Discovery Search-Mailbox.

Recover only deleted calendar mail items

PowerShell command syntax

PowerShell command Example

2. Assign the required permission for using the PowerShell cmdlets Search-Mailbox

To be able to use the PowerShell cmdlets Search-Mailbox, we will need to assign the required permission to the user account that will use the PowerShell cmdlets Search-Mailbox

We will need to enable the following permissions:

Add a user to the Discovery Management role group and assign the user account the Mailbox Import Export role

Add user to the Discovery Management group

PowerShell command syntax

PowerShell command Example

Assign a user “Mailbox Import Export” permission

Assign a user “Mailbox Import Export” permission

PowerShell command syntax

PowerShell command Example

3. Create a new discovery mailbox

Exchange Online provides a default mailbox that will serve as the container for the search result, the Discovery Search-Mailbox mailbox.

In case that we want to create an additional “Discovery Search-Mailbox mailbox” we can use a PowerShell command for creating this additional mailbox.

Create a new discovery mailbox

PowerShell command syntax

PowerShell command Example

For your convenience, I have “Wrapped” all the PowerShell commands that were reviewed in a PowerShell Script named:
Recover_Delted_Mail.PS1
You are welcome to download the script and use it.download-button- 02.png

Working with the New-MailboxSearch PowerShell cmdlets

Step 1#2

Export a Full mailbox connect of recipient A to recipient B mailbox

PowerShell command syntax

PowerShell command Example

Step 2#2

Export a Full mailbox connect of recipient A to recipient B mailbox

PowerShell command syntax

PowerShell command Example

Recover deleted mail – Exchange Online | Article series index

Now it’s Your Turn!
It is important for us to know your opinion on this article


Print Friendly

Related Post

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama

4 Responses to “Recovering deleted mail items using PowerShell cmdlets Search-Mailbox | 7#7”

  1. If your Office 365 Tenant is running Exchange 2016 in the backend then the search-mailbox cmdlet will not work. FYI.

    • Hello Jovon
      Thanks for the information
      Do you know what PowerShell command to use for getting information about the specific Exchange Online version?
      Best regard’s
      Eyal

    • Perhaps it didn’t work when you used it but we’re on O365 Exchange 2016 and it worked.

  2. Jamie Sayers Reply

    I’ve ran these and it ran well but i get a table that devides Name|Createdby|InPlaceHoldEnabled|Status, my concern is the status is set to NotStarted and thus whilst ran doesn’t pull through into my DiscoverySearchMailbox. Can you confirm if there is a second part of the script to run in order to change the status to Started?

Leave a Reply

Your email address will not be published. Required fields are marked *