Search-Mailbox in Exchange 2013
The Search-Mailbox command is available in Exchange & cloud. Let’s see in detail about the use of the command Search-Mailbox
By seeing command we get an idea that this command is used to do some search on the mailbox, well we guessed it right! Search-Mailbox is used to search Mailboxes for the list of items like date, subject, sender etc.
Below is an example that searches for the collection of mailbox objects from a database for items sent by a user called “Charlie H” on 5-Jun-2015 with the subject “Searching” in the subject (Also note you can use the user’s email address instead of the user name).
Get-Mailbox –Database ImportantUsers –ResultSize Unlimited | Search-Mailbox -TargetMailbox AdminSearchMailbox -TargetFolder “Search Results” -SearchQuery {Subject:”Searching” AND From:”Charlie@ispam.blah ” AND Sent:”6/5/2015″} -LogOnly -LogLevel Full –SearchDumpster
This command basically creates a log of items that have been discovered in the specified target folder in the mailbox. It does not copy any items unless we remove the -LogOnly switch. So if we remove the switch -LogOnly, Exchange creates a folder with the name of the mailbox searched along with the date and time in the target folder. It then copies all the items discovered & then places them in sub-folders in the source mailbox.
We can also use the Search-Mailbox command to remove unwanted items in the user’s mailbox using the switch -DeleteContent. But it is not recommended to remove any content until & unless you are very sure about the item that needs to be removed. In order to utilize this -DeleteContent the Administrator account should have the special “Mailbox Import Export” Role-Based Access Control (RBAC) permission. You can create a new RBAC role and assign it to the list of Admins who will be using this switch.
Here’s a command to add the permission
New-ManagementRoleAssignment -Name “Access to use DeleteSwitch” -SecurityGroup “Organization Management” -Role “Mailbox Import Export”
After we have sufficient permission to use the -DeleteContent switch, we can use the below command to DeleteContent:
Get-Mailbox –Database ImportantUsers –ResultSize Unlimited | Search-Mailbox -TargetMailbox AdminSearchMailbox -TargetFolder “Search Results” -SearchQuery {Subject:”Searching” AND From:”Charlie H” AND Sent:”6/5/2015″} -DeleteContent -LogLevel Full –SearchDumpster
If you have email address of spammer:
Get-mailbox -server MBX -resultsize unlimited | Search-Mailbox -SearchQuery “Received:> $(’07/18/2014′) and From:jean-benoit.ngoyi@ecole.enen.fr” -TargetMailbox eDiscovery -TargetFolder “Spam_july2014” -LogLevel Full -DeleteContent -force
Get-mailbox -resultsize unlimited -server MBX | Search-Mailbox -SearchQuery “Received:> $(’09/24/2014′) and From:dcwhispers@hushf.ai” -TargetMailbox eDiscovery -TargetFolder “Spam_Sept2014” -LogLevel Full -DeleteContent -force
Get-mailbox -resultsize unlimited -server MBX | Search-Mailbox -SearchQuery “Received:> $(’09/24/2014′) and From:dcwhispers@hushf.ai” -TargetMailbox “DiscoverySearchMailbox{D911BA05-46A6-415f-80AD-7E08774BB852}” -TargetFolder “Spam_Sept2014” -LogLevel Full -DeleteContent -force
Get-mailbox -server MBX -resultsize unlimited | Search-Mailbox -SearchQuery “Received:> $(’06/18/2014′) and From:h.ce1@myxxxxxx.com and Subject:Your Lottery Results” -TargetMailbox eDiscovery -TargetFolder “Spam_june2014” -LogLevel Full -DeleteContent -force
Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | Where {$_.Fromaddress -eq “theo.arm@spamit.com”} | Remove-Message -WithNDR $True
If you have email address and subject:
Get-mailbox -server MBX -resultsize unlimited | Search-Mailbox -SearchQuery “Received:> $(’11/30/2014′) and From:dma1@toender.dk and Subject:EMAIL UPGRADE” -TargetMailbox resource2058 -TargetFolder “SearchAndDeleteLog6” -LogLevel Full -DeleteContent -force
Get-mailbox -server MBX -resultsize unlimited | Search-Mailbox -SearchQuery “Received:> $(’11/30/2014′) and From:dma1@toender.dk and Subject:EMAIL UPGRADE” -TargetMailbox “DiscoverySearchMailbox{D911EA05-46A6-415f-80AD-7E09334BB852}” -TargetFolder “Spam_Dec2014” -LogLevel Full -DeleteContent -force
Get-mailbox -server MBX -resultsize unlimited | Search-Mailbox -SearchQuery “Received:> $(’11/30/2014′) and From:dma1@toender.dk and Subject:EMAIL UPGRADE” -TargetMailbox “eDiscovery” -TargetFolder “Spam_Dec2014” -LogLevel Full -DeleteContent -force
Save this as a PS1 file:
$Subject = Read-Host “Enter the Subject”
$Sender = Read-Host “Enter the sender email ID”
$LoggingMailbox = Read-Host “Mailbox alias to send the Log”
Get-Content “c:ratishscriptsusers.csv” | Get-Mailbox | Search-Mailbox -SearchQuery Subject:”$Subject”,From:$Sender -LogOnly -LogLevel full -TargetMailbox $LoggingMailbox -TargetFolder “SPAM”
Ratish Nair
Microsoft MVP | Exchange Server
Team @MSExchangeGuru.com
September 21st, 2016 at 8:05 am
Dear Ratish Nair,
I have an on prem Exchange 2013 CU13 server and the search-mailbox command is not working. Technet says the search-mailbox command is included in Exchange 2016.
https://technet.microsoft.com/en-us/library/dd298173(v=exchg.160).aspx
Regards,
Menno Broxterman
September 21st, 2016 at 1:10 pm
you need to be member of “Mailbox Import Export” role group in the permission to run this command.
August 3rd, 2017 at 1:49 pm
[…] Search-Mailbox in Exchange 2013 […]
August 3rd, 2017 at 1:51 pm
[…] Search-Mailbox in Exchange 2013 […]
November 20th, 2017 at 12:50 pm
[…] Search-Mailbox in Exchange 2013 […]
November 20th, 2017 at 12:50 pm
[…] Search-Mailbox in Exchange 2013 […]