Searching the content of user mailboxes has always been pretty tricky for Microsoft Exchange Server administrators. Naturally, companies are always cautious when accessing data in users' mailboxes because of potential legal problems, such as privacy issues, that can arise. Furthermore, until the release of Microsoft Exchange Server 2010, Exchange hasn't had a friendly tool to perform search across multiple mailboxes in an organization. Exchange 2010 brings new functionality, called Multi-Mailbox Search (aka discovery search), that lets administrators and other authorized personnel use a new graphical console to perform keyword-based searches on one or more mailboxes in an Exchange organization. In this article, I'll discuss the technology that lies underneath this feature and explain the steps you need to follow to perform this type of search.
If a company wanted to access data inside a user's mailbox in previous Exchange versions, the only way to do it was to grant full access rights on the mailbox object to the administrator who would access that data. Alternatively, it was possible to export the whole user mailbox and open it on another computer. However, this approach still provided administrators with access to data only in a single user's mailbox. Exchange 2007 added the ability to perform multi-mailbox searches with PowerShell's Export-Mailbox cmdlet, but without a graphical interface. Also, every Exchange administrator was able to perform this search, which could pose a security risk.
Multi-Mailbox Search in Exchange 2010 lets administrators search users' mailbox data without requiring them to have full access rights on the mailbox objects and with the ability to search multiple mailboxes at the same time—either from the GUI or the command line.
Multi-Mailbox Search Scenarios
Many companies don't consider data in user mailboxes as something private. Typically, employees are warned that authorized persons can and will access their data and read some or all of their email correspondence if appropriate circumstances warrant it. For example, if a company suspects that users are sending confidential data outside the company through email, correspondence can be watched by using a variety of approaches. Also, mailbox searches are commonly a very important part of legal requirements. For example, you might have a legal requirement to have all email correspondence of a specific type available for a request, or you might receive a court order to track email correspondence for specific users.
To track messages, you can use transport rules on the Exchange server by defining patterns of text that appear in email messages and could represent confidential data. Or you could implement journaling, where you archive all messages from a specific user in a separate mailbox. With Exchange 2010, you could search for specific criteria by performing a keyword-based Multi-Mailbox Search across mailboxes in the organization.
For legal requirements, discovery search can be used in one more scenario: legal hold. In Exchange 2010, it's possible to activate the legal hold option on specific user mailboxes, which means that from that moment, all messages that are in that mailbox or pass through it will be retained—even if the user deletes a message and empties the Deleted Items folder. You can access all these retained items when you perform a Multi-Mailbox Search.
Technologies Behind Multi-Mailbox Search
Although it might look simple at first, several technologies are involved in Multi-Mailbox Search functionality. To perform search across multiple mailboxes, Multi-Mailbox Search uses the content indexes created by Exchange Search. This service is enhanced with new capabilities to provide the extensive search functionality required by Multi-Mailbox Search. Also, having a single content indexing engine ensures that no additional resources are utilized when discovery requests are performed.
Exchange Control Panel (ECP) is the administrative interface you use to perform Multi-Mailbox Search. ECP is a new web-based console, for both administrators and end users, that provides an easy-to-use search interface for both technical and nontechnical personnel, such as legal and compliance officers, records managers, and HR professionals. Because ECP is web-based, it's available from practically anywhere, and it's easy to use because it doesn't require any type of Microsoft Management Console (MMC) snap-in console. Moreover, ECP works much like Outlook Web Access—which, in Exchange 2010, is renamed Outlook Web App (OWA)—so no extensive user training is required.
From a security perspective, Exchange 2010 offers Role Based Access Control (RBAC), a new method for delegation of various permissions in Exchange. RBAC includes the Discovery Management role group to delegate discovery tasks to authorized users without the need to provide elevated privileges, such as full mailbox access or privileges that could allow a user to make any operational changes to Exchange configuration. The Discovery Management role group has no members by default—not even Exchange administrators are included.
All search results are stored in a special mailbox called Discovery Search Mailbox; it's not possible to store results in any other mailbox, such as a user's mailbox. The Discovery Search Mailbox is created during Exchange installation and can't be used for standard purposes such as sending and receiving email because delivery restrictions are applied to it. The user account associated with the Discovery Search Mailbox is disabled so no one can log on to this mailbox without being explicitly granted rights to do so. The Discovery Management group has full access rights to the Discovery Search Mailbox. You can control and audit membership in the Discovery Management role group by using Group Policy's restricted group policy setting.
Because the Discovery Search Mailbox should be able to store a large amount of data, it's assigned a 50GB storage quota on creation. If you have multiple teams or individuals that perform discovery searches and you don't want them to see results from other searches, you'll need to create additional Discovery Search Mailboxes, which you can do through Exchange Management Shell (EMS)—I'll describe that procedure later.
Permissions for Multi-Mailbox Search
Unlike other technologies, such as transport rules and journaling, which you have to enable and configure before you can use them, you can perform a discovery search at any time, without first enabling the feature on an organizational level. However, several steps should be performed to allow an investigator to perform discovery searches.
First, you should have a valid reason to perform a search, as well as appropriate procedures and policies, developed in cooperation with your legal team, that define and support this type of activity. Although these considerations aren't a technical part of the story, it's very important to keep them in mind. If you don't, you risk potential lawsuits and even the possibility of losing your job.
After you've handled the legal issues, you have to assign appropriate rights to yourself or to someone else who will perform the discovery search. You have two options for assigning the rights. You can you use the MMC Active Directory Users and Computers snap-in to add a user account to the Discovery Management role group. This process actually adds the user to the Discovery Management RBAC role group. The role group consists of two management roles: the Mailbox Search role, which lets a user perform a discovery search; and the Legal Hold role, which lets a user place a mailbox on legal hold.
Your second option for assigning the rights is to use EMS by executing the following command:
-Identity "Discovery Management"
If you want to check which users have permission to perform a discovery search, you can execute the following command:
When you add a user to the Discovery Management role group, the user also gets full access rights for the Discovery Search Mailbox. Remember, this mailbox is the default for storing search results, but you can also create additional mailboxes of this type. To do so, you use EMS and the New-Mailbox cmdlet. For example,
creates an additional Discovery Search Mailbox mailbox. The -discovery switch used in this cmdlet is responsible for dedicating this as a Discovery Search Mailbox, and you can use the -name switch so you can enter a different name for this mailbox.
If you aren't sure whether additional Discovery Search Mailboxes have been created in your organization, you can easily check that with the following command:
-eq "DiscoveryMailbox" \\}
Perform a Multi-Mailbox Search
Now that you have users who can perform a discovery search, you're ready to actually perform a search. First, you have to connect to ECP, which you can do by going to https://yourexchangeserver/ecp in your browser, and entering your username and password on the authentication page. In the ECP interface, click Reporting, and you'll be presented with the Mailbox Searches interface, which Figure 1 shows. This page won't be available to users who don't have appropriate rights.
To create a new search, click New, and the New Mailbox Search window opens, as Figure 2 shows. The first field is Keywords, which is where you enter keywords, phrases, or patterns defined with wildcards that you want to search for. For this example, we'll search for the word password. If you want to search for multiple words, you can use AND in all caps between words, or just type commas. If you want to search for any of the words you enter, you need to use OR (also, all caps) between words. You can also use NOT between words to exclude the second one, use an asterisk (*) as a wildcard after a word, and use double quotation marks around words to search for an exact phrase. Thanks to new features implemented in Exchange Search, you can also use Advanced Query Syntax (AQS) to define keywords. Using AQS, you can quickly define and narrow your searches for even more targeted results. This query syntax is used by Windows Search and Instant Search in Microsoft Outlook 2007 and later. You can learn more about using AQS from the Microsoft article "Using Advanced Query Syntax Programmatically."
If you suspect items in a user's mailbox are protected or encrypted, you can select the check box for Include items that can't be searched. If you enable this option, your search results will include not just messages that have the desired keywords, but also items that can't be searched by default, such as encrypted or Information Rights Management (IRM)–protected messages, or messages with attachments in an unknown format. This ability is achieved by using IRM decryption for the Exchange Search feature. When a Multi-Mailbox Search is used to perform a discovery search, IRM-protected messages that have been indexed are returned in search results. To enable this decryption feature, Exchange servers must have access to the message, which is done by adding the Federated Delivery mailbox, a system mailbox created by Exchange Setup, to the super users group on the Active Directory Rights Management Services (AD RMS) server. For more information about this process, see the Microsoft article "Add a Federated Delivery Mailbox to the AD RMS Super Users Group." To enable search on IRM-protected content on the Exchange side, run this command:
Below the Keywords field is the very useful Select message types button. Clicking this button lets you select the type of items you want to search, as Figure 3 shows. You can choose to search, for example, only email messages and calendar items, but not tasks, notes, and so forth. Or you can select to search all types of items in the mailbox.
Figure 3: Selecting the types of messages to search
The next section on the New Mailbox Search window, Messages To and From Specific E-mail Addresses, lets you narrow your search to specific senders or specific recipients, if known. Note that this isn't where you specify the mailbox that you want to perform the search on, but just an option to perform a more precise search. If you don't know any specific sender or recipient, you can specify just a domain name. For example, by entering @logosoft.ba in the From field, you'll search for messages that came from any user on the logosoft.ba domain. The To field works the same way.
The Date Range section lets you specify a date range for messages you want to search. If you don't know a specific date range, you can search without limiting by date. However, if you don't specify a date range, your search will be significantly slower.
The next section is Mailboxes to Search. In this section, you select the specific mailbox or mailboxes that you want to search. By clicking Add, you can add one or more mailboxes from your organization, or you can select the Search all mailboxes option to perform a search across all mailboxes in your organization. Searching all mailboxes can take a long time, especially if you have a lot of mailboxes and you didn't specify a date range for the search. Note that if you're searching a mailbox that has a Personal Archive mailbox enabled, the search also includes this archive.
The last section is Search Name and Storage Location. You can enter anything in the Search name field (I used "password sharing" as a name in this example). Then, click Browse, and you'll see all available Discovery Search Mailboxes in your organization; if you didn't create additional mailboxes, there will be only one available. In this same section, you can also select to be notified by email when the search is done, and you can select the full-logging option. Full logging includes detailed information about all messages returned by the search in a comma-separated value (CSV) file attached to the email message that contains the basic information.
When you click Save, your search starts. Unless your search is targeted on a large number of objects, it will probably finish quickly. You can monitor search progress in ECP, or you can log out and wait until you get an email notification. It's also possible to run more than one search at the same time. When your search status changes to Succeeded, which you can see in the right pane of ECP, as Figure 4 shows, you can open the results. On the Results line, scroll right and you'll see a link, \\[Open\\], which you can click to open the Discovery Search Mailbox. Click the My Mail option, and the Discovery Search Mailbox opens in OWA.
Inside this mailbox, you'll have folders for each search that you've performed, named as each search was named. By expanding these folders, you can find the mailboxes, folders, and messages that meet the search parameters, as Figure 5 shows. You can open each item and see its content as well as all its other properties, such as the folder where it resides, sender and recipient, and time of send. It's possible for the same message to appear multiple times in your results—if you performed a search across multiple mailboxes, one user could have a message in the Sent Items folder and another could have it in the Inbox.
A discovery search can also be initiated by using EMS. Although using ECP is convenient for performing a single search from time to time, EMS is a much more flexible option if you need to perform searches on a regular basis. You can use the code in Listing 1 to initiate a discovery search. This command initiates a discovery search on the mailbox Damir Dizdarevic and searches a date range that covers the year 2009. It searches for the words password and confidential, and it looks only for email messages with these keywords, including unsearchable messages.
In addition to searching the contents of primary and archive mailboxes, you can use Multi-Mailbox Searches on items that users have deleted. Under some circumstances, such as a court order or lawsuit, it might be necessary to control not just regular email correspondence but also items that specific users deliberately delete. Before discussing this technology, it's worth mentioning changes implemented in the Exchange 2010 dumpster. In previous versions of Exchange, the dumpster was a view stored per folder. Using this approach, items in the dumpster stayed in the folder where they were soft-deleted (either by pressing Shift+Delete in any folder or Delete from within the Deleted Items folder), but they're marked with the ptagDeletedOnFlag flag. These items are marked in the store to be excluded from normal Outlook views and quotas. In addition, data with this flag can't be searched or indexed. These items were recoverable by end users by using the Recover Deleted Items tool accessible through OWA, and the user was also able to permanently delete these items.
Exchange 2010 has a Dumpster 2.0. Unlike version 1.0, the new version isn't a simple view but a folder called Recoverable Items. This folder is located inside the user's mailbox in the Non-IPM subtree, and it isn't viewable through the UI. This folder is indexed, it can be searched, and you can prevent deletions from this folder by implementing legal hold. Also, it's possible to apply a quota to this folder. In Exchange 2010, when a user deletes an item, it's no longer marked with a ptagDeletedOnFlag flag; instead, it goes to the Deletions subfolder within the Recoverable Items folder. From this folder, a user can retrieve items that were deleted. However, the user is no longer able to permanently delete items from this folder. If a user deletes an item from Recoverable Items, it goes to the Purges subfolder. The user can no longer access this item, but an administrator can, which prevents users from hiding or destroying items intentionally.
Dumpster 2.0 is a base structure to the legal hold feature. You can use the legal hold feature to:
- place a hold on users' mailboxes and keep mailbox items in an unaltered state
- preserve mailbox items that users attempt to delete after the hold is placed
- preserve mailbox items automatically deleted based on messaging records management (MRM) retention policies
Legal hold is enabled on a per-mailbox basis, and it's basically transparent to the end user because retention policies continue to operate. By enabling it, you preserve practically all mailbox items from both the primary mailbox and Personal Archive, even if the user deletes something, and you can perform discovery searches on these items as well.
Items in the Recoverable Items folder aren't calculated toward the user's mailbox quota, which is good for the user. The Recoverable Items folder has its own quota, and two parameters apply to this quota: RecoverableItemsWarningQuota and RecoverableItemsQuota. The default RecoverableItemsWarningQuota and RecoverableItemsQuota values are set to 20GB and 30GB respectively. If these quotas are reached, an event is logged in the application log of the Mailbox server, so it's important to monitor this event log. If you want to modify quota values for a mailbox database, you use the Set-MailboxDatabase cmdlet, or you can use the Set-Mailbox cmdlet if you want to do it on an individual mailbox basis.
To enable legal hold on a user mailbox, you use following command in EMS:
To remove a legal hold, you would use the same command but replace $true with $false. Legal hold also includes an option that automatically alerts users through Outlook 2010 that a hold has been placed on their mailboxes. If your organization requires that users on legal hold be informed, you can add a notification message to the mailbox user's Retention Comment property. This property can be set by using the -RetentionComment switch in EMS. Outlook 2010 displays the notification in the Backstage view.
When performing a discovery search on mailboxes where legal hold is enabled, your results include not only items from regular mailbox folders but also items from the Recoverable Items folder that match the search keywords. You use the same procedure for searching messages on legal hold as described before for discovery searches; no additional procedure is required.
Use the Power Wisely
As you can see, Exchange 2010 has powerful and user-friendly tools for searching and tracking users' email correspondence. However, these tools can be potentially dangerous if they're used by unauthorized people. In some scenarios, even administrators can be unauthorized, despite the fact that they have the technical ability to use this technology. In order to be sure this technology isn't misused, you should carefully monitor membership changes on the Discovery Management role group, as well as enforce restricted group membership through Group Policy. Also, be sure to partner with your legal and management teams to set search policies and criteria and to determine who you place in the Discovery Management role group.
Listing 1: Creating a Discovery Search Through EMS
-StartDate "1/1/2009" -EndDate "12/31/2009"
-SourceMailboxes "Damir Dizdarevic"
-TargetMailbox "Discovery Search Mailbox"
-SearchQuery '"password" AND "confidential"'