skip to Main Content

Recovering deleted mail items using PowerShell cmdlets Search-Mailbox | 7#7

In the current article, we will review the use of the PowerShell cmdlets
Search-Mailbox that we can use for searching and recovering specific mail items.
The PowerShell cmdlets Search-Mailbox is the “older sister” of the newer PowerShell cmdlets New-MailboxSearch.
Booth of this PowerShell cmdlets was designed for providing the Exchange administrator the robust capability of creating a multiple mailbox search + the ability to copy (recover) the search result to “other store” such as the Discovery Search Mailbox or any other Exchange mailbox.

Table of contents

A little bit history

The ability to perform multiple mailbox search was first presented in Exchange 2010. This ability was based on the PowerShell cmdlets – Search-Mailbox

In Exchange 2013 the term – “Multiple mailbox search” was replaced by the term – in-place eDiscovery & hold.

The in-place eDiscovery & hold infrastructure include more capabilities and features, and it’s based on a new PowerShell cmdlet named:

New-MailboxSearch

In other words, we can say that the Exchange in-place eDiscovery & hold management interface is the graphical interface for the PowerShell cmdlets – New-MailboxSearch

Exchange search and recover PowerShell cmdlets

Because the New-MailboxSearch is “newer” or more advanced, logically we can assume that these PowerShell cmdlets include all of the capabilities of the “former” PowerShell cmdlets – Search-Mailbox + new capabilities.

This assumption is partially correct because the Interesting thing is that the “older” PowerShell cmdlets Search-Mailbox, still has capabilities that are not available in the newer PowerShell cmdlets New-MailboxSearch.

The abilities that are included in the PowerShell cmdlets Search-Mailbox and doesn’t include in the newer PowerShell cmdlets New-MailboxSearch) are:

1. Search and delete (search and destroyed)

This ability sometimes referred as “search and destroy”. The part of “searching” multiple Exchange mailboxes is the first part. The second part is –“what to do with the search results?”.
When using the PowerShell cmdlets Search-Mailbox we can decide to delete the search results instead of a copy or recovering the search results.

If the option of “delete mail items” based on the search result seems strange to you, consider a scenario in which your organization infected by a virus that sent via the mail systems to the different organization recipient.

You want to be able to find all the recipients that got the infected mail + delete the mail items that are infected by the virus.

Note: In the current article, we will not review the option of using the PowerShell cmdlets Search-Mailbox for deleting mail items.

2. Search scope – folder based

An Interesting capability of the PowerShell cmdlets Search-Mailbox is the ability to define a specific mailbox folder as a parameter for the search.

This ability can be implemented using the standard mailbox folder such as – inbox folder, sent items and so on and also; we can define the Recoverable Items folder as a parameter of the search scope.

In other words, the PowerShell cmdlets Search-Mailbox enables us to restrict the search only to the Recoverable Items folder and recovered (copy) the mail items in this folder.

This option is very useful in a “recover mail scenarios” because, in this case, we don’t need to search and recover the “standard mailbox content, but instead, only mail items located in the Recoverable Items folder.

The Search-Mailbox PowerShell cmdlets improve capabilities

Recovering mail items using Search-Mailbox PowerShell cmdlets | A two-stage process

Before we start with reviewing the specific syntax of the PowerShell cmdlets Search-Mailbox it’s important to understand the logic and the structure of this command.
The “flow” that is implemented by the PowerShell cmdlets Search-Mailbox consisting of two phases:

Phase 1 – in this phase the Search-Mailbox command access the mailbox\s that we have specified and start to look for mail items that “answers” the search query parameters that we have to defend.

Recovering mail items using Search-Mailbox PowerShell cmdlets - A two-stage process 01

Phase 2 – in this phase the Search-Mailbox command “fetch” the search results (mail items) and copy them to the “destination mailbox”.
The “destination mailbox” could be the Exchange system Discovery Search mailbox or any other mailbox that we choose.

Recovering mail items using Search-Mailbox PowerShell cmdlets - A two-stage process 02

The four Search-Mailbox mandatory parameters

When using the PowerShell cmdlets Search-Mailbox, we will have to define four mandatory parameters:

  1. The mailbox or the mailboxes that want to search – we need to specify at least one mailbox as the “source mailbox”.
  2. The search query parameters – the search parameter can be very simple or very complicated, we can choose to restrict the search based on date range, specific keywords, specific folder, etc.
  3. The “destination mailbox” – this is the mailbox that will serve as a “container” for the copy of the mail items that form the search results.
  4. The folder name who will “host” the copy of the search results – we need to specify a name who will be used for the folder that will contain the copy of the search results.
Search-Mailbox mandatory parameters

Required permissions for using the Exchange PowerShell cmdlets – Search-Mailbox

Using the Search-Mailbox cmdlets enable the user who performs the search (Exchange administrator or the user with the required permissions) to search and view users data located at their mailboxes.
To be able to have this “ability” there is a need to assign the required permission to the user who will use the Search-Mailbox cmdlet.

You need to be assigned the following management roles to search for and delete messages in users’ mailboxes:

  • Mailbox Search – This role allows you to search for messages across multiple mailboxes in your organization. Administrators aren’t assigned this role by default. To assign yourself this role so that you can search mailboxes, add yourself as a member of the Discovery Management role group. See Assign eDiscovery permissions in Exchange.
  • Mailbox Import Export – This role allows you to delete messages from a user’s mailbox. By default, this role isn’t assigned to any role group. To delete messages from users’ mailboxes, you can add the Mailbox Import Export role to the Organization Management role group. For more information, see the “Add a role to a role group” section in Manage role groups.

Using the Search-Mailbox cmdlets scenarios

To demonstrate the different possibilities of using the Search-Mailbox cmdlets, we will review a couple of optional scenarios.

Scenario 1 – Copy mail items from the Recoverable Items folder to – Discovery Search Mailbox

Scenario description:
We want to search and recover mail items that answer the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • Mail items that are stored in the Recoverable Items folder (SearchDumpsterOnly).

In addition, create a detailed Log (LogLevel Full).

Copy mail items from the Recoverable Items folder to – Discovery Search Mailbox

PowerShell command syntax:

Search-Mailbox <Identity> -SearchDumpsterOnly -TargetMailbox <Destination mailbox> -TargetFolder <Folder name> -LogLevel Full

PowerShell command example:

Search-Mailbox John -SearchDumpsterOnly -TargetMailbox "Discovery Search Mailbox" -TargetFolder <John recovered mail> -LogLevel Full

Scenario 2 – Provide a report about deleted mail items

Scenario description:
We don’t wish to recover mail items but instead, we just want to get a detailed report about all the mail items that reside in the Recoverable Items folder
We want to search (but not to recover) mail items that answer the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • Mail items that are stored in the Recoverable Items folder (SearchDumpsterOnly).

Provide a report about deleted mail items

PowerShell command syntax:

Search-Mailbox <Identity> -SearchDumpsterOnly -TargetMailbox <Destination mailbox> -TargetFolder <Folder name> -LogLevel Full -LogOnly

PowerShell command example:

Search-Mailbox John -SearchDumpsterOnly -TargetMailbox “Discovery Search Mailbox”-TargetFolder “David Deleted mail items” -LogLevel Full -LogOnly

Scenario 3 – Recover deleted mail items from all user mailboxes (bulk mode)

Scenario description:
We want to search and recover mail items that answer the following parameters:

  • Mail items that are stored in all of the Exchange user mailboxes (Bulk search).
  • Mail items that are stored in the Recoverable Items folder (SearchDumpsterOnly).

Recover deleted mail items from all user mailboxes (bulk mode)

PowerShell command syntax:

Get-Mailbox -ResultSize Unlimited |Search-Mailbox -SearchDumpsterOnly -TargetMailbox <Destination mailbox> -TargetFolder <Folder name> -LogLevel Full

PowerShell command example:

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchDumpsterOnly -TargetMailbox “Discovery Search Mailbox” -TargetFolder “All users Deleted mail items” -LogLevel Full

Scenario 4 – Recover only deleted calendar mail items

Scenario description:
We want to search and recover mail items that answer the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • Specific mail items – only mail items with a specific attachment
  • Mail items that are stored in the Recoverable Items folder (SearchDumpsterOnly).

Recover only deleted calendar mail items

PowerShell command syntax:

Search-Mailbox <Identity> -SearchDumpsterOnly -SearchQuery “Attachment:<Mail Type>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder name> -LogLevel Full

PowerShell command example:

Search-Mailbox John -SearchDumpsterOnly -SearchQuery “Kind:meetings" -TargetMailbox “Discovery Search Mailbox” -TargetFolder “John calendar items” -LogLevel Full

Scenario 5 – Recover deleted mail items with a specific attachment

Scenario description:
We want to search and recover mail items that answer the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • Specific mail items – only calendar mail items
  • Mail items that are stored in the Recoverable Items folder (SearchDumpsterOnly).

Recover deleted mail items with a specific attachment

PowerShell command syntax:

Search-Mailbox <Identity> -SearchDumpsterOnly -SearchQuery “Kind:<Mail Type>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder name> -LogLevel Full

PowerShell command example:

Search-Mailbox John -SearchDumpsterOnly -SearchQuery “Kind:meetings" -TargetMailbox “Discovery Search Mailbox” -TargetFolder “John calendar items” -LogLevel Full

Scenario 6 – Recover only deleted mail items that include a specific text (mail body or subject)

Scenario description:
We want to search and recover mail items that answer the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • Mail items that include a specific text string.

Recover only deleted mail items that include a specific text (mail body or subject)

PowerShell command syntax:

Search-Mailbox <Identity> -SearchQuery “<Text String>” -TargetMailbox <Destination mailbox> -TargetFolder <Folder name> -LogLevel Full

PowerShell command example:

Search-Mailbox John -SearchQuery “call me ASAP” -TargetMailbox “Discovery Search Mailbox” -TargetFolder “John mail items” -LogLevel Full

Scenario 7 – Recover only deleted mail items that include a specific text in mail subject

Scenario description:
We want to search and recover a mail item that answers the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • Mail items that include a specific text string that appears in the E-mail subject.

Recover only deleted mail items that include a specific text in mail subject

PowerShell command syntax:

Search-Mailbox <Identity> -SearchQuery 'Subject:"<Txt String>"' -TargetMailbox <Destination mailbox> -TargetFolder <Folder name> -LogLevel Full

PowerShell command example:

Search-Mailbox John -SearchQuery 'Subject:"call me ASAP"' -TargetMailbox “Discovery Search Mailbox” -TargetFolder “John mail items” -LogLevel Full

Scenario 8 – Recover deleted mail items from a specific date range

Scenario description:
We want to search and recover mail items that answer the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • Mail items that were sent on a specific date range.

Recover deleted mail items from a specific date range

PowerShell command syntax:

Search-Mailbox <Identity> SearchQuery '(sent: sent:dd/mm/yy..dd/mm/yy)' -TargetMailbox <Destination mailbox> -TargetFolder <Folder name> -LogLevel Full

PowerShell command example:

Search-Mailbox SearchQuery '(sent: 09/1/2015.. 09/10/2015)' -TargetMailbox -TargetFolder -LogLevel Full

Scenario 9 – Copy ALL mail items from a specific mailbox to the – Discovery Search Mailbox

Scenario description:
We want to search and recover ALL mail item that answers the following parameters:

  • Mail items that are stored in a specific Exchange user mailbox.
  • ALL Mail items from a specific mailbox

In addition, create a detailed Log (LogLevel Full).

Copy ALL mail items from a specific mailbox to the – Discovery Search Mailbox

PowerShell command syntax:

Search-Mailbox <Identity> -TargetMailbox <Destination mailbox> -TargetFolder <Folder name> -LogLevel Full

PowerShell command example:

Search-Mailbox John -SearchDumpsterOnly -TargetMailbox "Discovery Search Mailbox" -TargetFolder <John recovered mail> -LogLevel Full

1. Assign Full access permission to the Discovery Search-Mailbox

in case that we want to look into the content of the Discovery Search-Mailbox by using the Outlook mail client, we will need to Assign Full access permission to the Discovery Search-Mailbox.

Recover only deleted calendar mail items

PowerShell command syntax:

Add-MailboxPermission "<Destination Mailbox>" -User <Identity> -AccessRights FullAccess -InheritanceType all -Automapping $False

PowerShell command example:

Add-MailboxPermission "Discovery Search Mailbox" -User John -AccessRights FullAccess -InheritanceType all -Automapping $False

2. Assign the required permission for using the PowerShell cmdlets Search-Mailbox

To be able to use the PowerShell cmdlets Search-Mailbox, we will need to assign the required permission to the user account that will use the PowerShell cmdlets Search-Mailbox

We will need to enable the following permissions:

Add a user to the Discovery Management role group and assign the user account the Mailbox Import Export role

Add user to the Discovery Management group

PowerShell command syntax:

Add-RoleGroupMember -Identity "Discovery Management" -Member <Identity>

PowerShell command example:

Add-RoleGroupMember -Identity "Discovery Management" -Member John

Assign a user “Mailbox Import Export” permission

PowerShell command syntax:

New-ManagementRoleAssignment –Role “Mailbox Import Export” –User <Identity>

PowerShell command example:

New-ManagementRoleAssignment –Role “Mailbox Import Export” –User John

3. Create a new discovery mailbox

Exchange Online provides a default mailbox that will serve as the container for the search result, the Discovery Search-Mailbox mailbox.

In case we want to create an additional “Discovery Search-Mailbox mailbox,” we can use a PowerShell command for creating this additional mailbox.

Create a new discovery mailbox

PowerShell command syntax:

New-Mailbox -Name <name> -Discovery

PowerShell command example:

New-Mailbox -Name “New Discovery” -Discovery

Working with the New-MailboxSearch PowerShell cmdlets

Step 1#2

Export a Full mailbox connect of recipient A to recipient B mailbox

PowerShell command syntax:

New-MailboxSearch -Name <Search name> -SourceMailboxes <source mailbox> -TargetMailbox <Destinaiton mailbox>

PowerShell command example:

New-MailboxSearch -Name "Alice exported items" -SourceMailboxes Alice -TargetMailbox John

Step 2#2

Export a Full mailbox connect of recipient A to recipient B mailbox

PowerShell command syntax:

Start-MailboxSearch -Identity "<Search name>" -Confirm

PowerShell command example:

Start-MailboxSearch -Identity "Alice exported items" -Confirm
The o365info Team

The o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 4 Comments

  1. I’ve ran these and it ran well but i get a table that devides Name|Createdby|InPlaceHoldEnabled|Status, my concern is the status is set to NotStarted and thus whilst ran doesn’t pull through into my DiscoverySearchMailbox. Can you confirm if there is a second part of the script to run in order to change the status to Started?

  2. If your Office 365 Tenant is running Exchange 2016 in the backend then the search-mailbox cmdlet will not work. FYI.

Leave a Reply

Your email address will not be published. Required fields are marked *