1.0 Purpose
Many of the scenarios exist when one may need to delete the emails from the user’s mailboxes but below are one from the most common scenarios in Organizations where email deletion from mailboxes may be needed:-
- Malicious Email
- Confidential Email sent to wrong recipients
- Need to remove an Email with Specific criteria from all/single mailboxes
Permission: - User performing this task must be member of the DL ‘Discovery Management’
Limitation: -
- This query can only return max 10,000 item for a single mailbox.
- Query for Exchange 2010 and 2013 mailboxes must be executed from Exchange Management of the respective server.
- Email can’t be permanently deleted from users on Litigation Hold. Deleted email will always remain in purge or version folder of that user’s store.
Ensure that the right email is being deleted. In case of any mistake, incorrect messages could be deleted. As an additional safeguard, first copy email to another mailbox by using the TargetMailbox and TargetFolder parameters. By doing this, we retain a copy of the deleted messages in case that is needed further.
3.1 Verify for Single Mailbox
Open Exchange PowerShell on Exchange 2013/2010 Server and run below command:-
This example searches mailbox for messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment, It will copy message into SpoofEmail folder of mailbox specified in TargetMailbox.
Search-Mailbox -Identity
This example searches mailbox for the messages that contain the phrase "Email Maintenance" in Subject and sender isvirus@spam.au, It will copy the message into SpoofEmail folder target mailbox.
Search-Mailbox -Identity -SearchQuery “From:virus@spam.au and Subject:Email Maintenance” TargetMailbox -TargetFolder "SpoofEmail"
Note: - Refer Section 5.0 to Build Additional Search Query
3.2 Verify for multiple Mailbox
1) Copy Mailbox.txt on desktop of your user profile and put mailbox email address or Display name need to be queried.
2) Now run this command from Exchange Powershell :-
This example searches mailboxes mentioned in Mailbox.txt file for messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment, It will copy message into SpoofEmail folder of mailbox specified in TargetMailbox.
gc C:\Users\
4.0 Email Deletion
Once it is verified that correct email is being deleted and copy has been made for those emails. Run mentioned commands.
4.1 Deletion for Single Mailbox
Open Exchange PowerShell on Exchange 2013/2010 Server or connect to Exchange Online Powershell and run below command:-
This example searches mailbox for the messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment and deletes those email.
4.2 Deletion for Multiple Mailboxes
1) Copy Mailbox.txt on desktop of your user profile and put mailbox email address or Display name need to be queried.
2) Modify the parameter –SearchQuery according to the scenario then run command from Exchange Powershell :-
This example searches mailboxes mentioned in Mailbox.txt file for messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment.
gc C:\Users\
5.0 Building different Search Queries
# This example searches mailbox Test1 where messages that contain the phrase "Wire Transfer" in Body AND Subject is Money Transfer OR Address abc@test.com is in any of the field (To,CC,BCC,From), It will copy the message into SpoofEmail folder of Test2’s mailbox
Search-Mailbox –ID ‘Test1’ -SearchQuery {Body:"Wire Transfer" AND Subject:"Money Transfer" OR Participants:abc@test.com} -TargetMailbox Test2 -TargetFolder "SpoofEmail"
# This example searches mailbox Test1 where messages that contain the phrase "Email Maintenance" and sender isvirus@spam.au, It will copy the message into SpoofEmail folder of Test2 mailbox
Search-Mailbox –ID ‘test1’ -SearchQuery “From:virus@spam.au and Subject:Email Maintenance” -TargetMailbox Test2 -TargetFolder "SpoofEmail"
# This example searches mailboxes mentioned in Mailbox.txt file for messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment, It will logs the result in the SpoofEmail folder in the Test2 mailbox. Messages will be copied into target mailbox.
GC C:\Users\
Different Queries can be built with help of different properties and here is the sheet of searchable properties in Exchange, Please refer link
for more information.| Property | Property description | Examples | Search results returned by the examples |
|---|---|---|---|
Attachment
|
The names of files attached to an email message.
|
attachment:annualreport.ppt
attachment:annual*
|
Messages that have an attached file named annualreport.ppt.
In the second example, using the wildcard returns messages with the word "annual" in the file name of an attachment.
|
Bcc
|
The BCC field of an email message.
|
bcc:pilarp@contoso.com
bcc:pilarp
bcc:"Pilar Pinilla"
|
All examples return messages with Pilar Pinilla included in the Bcc field.
|
Category
|
The categories to search. Categories can be defined by users by using Outlook or Outlook Web App. The possible values are:
|
category:"Red Category"
|
Messages that have been assigned the red category in the source mailboxes.
|
Cc
|
The CC field of an email message.
|
cc:pilarp@contoso.com
cc:"Pilar Pinilla"
|
In both examples, messages with Pilar Pinilla specified in the CC field.
|
From
|
The sender of an email message.
|
from:pilarp@contoso.com
from:contoso.com
|
Messages sent by the specified user or sent from a specified domain.
|
Importance
|
The importance of an email message, which a sender can specify when sending a message. By default, messages are sent with normal importance, unless the sender sets the importance as high or low.
|
importance:high
importance:medium
importance:low
|
Messages that are marked as high importance, medium importance, or low importance.
|
Kind
|
The message type to search. Possible values:
|
kind:email
kind:email OR kind:im OR kind:voicemail
|
Email messages that meet the search criteria. The second example returns email messages, instant messaging conversations, and voice messages that meet the search criteria.
|
Participants
|
All the people fields in an email message; these fields are From, To, CC, and BCC.
|
participants:garthf@contoso.com
participants:contoso.com
|
Messages sent by or sent to garthf@contoso.com.
The second example returns all messages sent by or sent to a user in the contoso.com domain.
|
Received
|
The date that an email message was received by a recipient.
|
received:04/15/2014
received>=01/01/2014 AND received<=03/31/2014
|
Messages that were received on April 15, 2014. The second example returns all messages received between January 1, 2014 and March 31, 2014.
|
Recipients
|
All recipient fields in an email message; these fields are To, CC, and BCC.
|
recipients:garthf@contoso.com
recipients:contoso.com
|
Messages sent to garthf@contoso.com.
The second example returns messages sent to any recipient in the contoso.com domain.
|
Sent
|
The date that an email message was sent by the sender.
|
sent:07/01/2014
sent>=06/01/2014 AND sent<=07/01/2014
|
Messages that were sent on the specified date or sent within the specified date range.
|
Size
|
The size of an item, in bytes.
|
size>26214400
size:1..1048576
|
Messages larger than 25 MB.
The second example returns messages from 1 through 1,048,576 bytes (1 MB) in size.
|
Subject
|
The text in the subject line of an email message.
|
subject:"Quarterly Financials"
subject:northwind
|
Messages that contain the exact phrase "Quarterly Financials" anywhere in the text of the subject line.
The second example returns all messages that contain the word northwind in the subject line.
|
To
|
The To field of an email message.
|
to:annb@contoso.com
to:annb
to:"Ann Beebe"
|
All examples return messages where Ann Beebe is specified in the To: line.
|
No comments:
Post a Comment