MSExchangeGuru.com

This document is the guide to do the emails discovery on the litigation hold mailboxes. This is a very handy feature of exchange 2010 which is a plus for security and HR team. The search eases the investigation by the accurate search result for investigation which saves a lot of time of the investigator. The most important fact we should know is about the below differences:

1. Deletions   Items removed from the Deleted Items folder or soft deleted from other folders are moved to the Deletions subfolder and are visible to the user when using the Recover Deleted Items feature in Outlook. By default, items reside in this folder until the deleted item retention period configured for the mailbox expires.
   
2. Purges   When a user deletes an item from the Recoverable Items folder (by using the Recover Deleted Items tool in Outlook or Outlook Web App), the item is moved to the Purges folder. Items that exceed the deleted item retention period configured on the mailbox database or the mailbox are also moved to the Purges folder. Items in this folder aren’t visible to users if they use the Recover Deleted Items tool. When the mailbox assistant processes the mailbox, items in the Purges folder are purged from the mailbox database. When you place the mailbox user on litigation hold, the mailbox assistant doesn’t purge items in this folder.
   
3. Versions   In Exchange 2010, when a user who is placed on litigation hold changes specific properties of a mailbox item, the original item is preserved to meet discovery obligations. A copy of the original mailbox item is created before the changed item is written. The original copy is saved in the Versions folder. This process is known as copy on write. Copy on write applies to items residing in any mailbox folder. The Versions folder isn’t visible to users.
   

   1. Assign the Rights to Create a Search Query
      

This is a one-time step that needs to be performed to give someone the rights to create a search query.  By default, NO ONE in the organization, including the Exchange Administrator, has the rights to create search queries.  However, even though the Exchange Administrator doesn’t have the right to create a search query, the Exchange Administrator can go into the Exchange Control Panel and give themself (and anyone else) rights to create the query.

To assign the rights to create a search query, do the following:

1.  Logon to Outlook WebApp with a user that has administrator rights (just like you are logging in to check your email).

2.  On the upper right corner, select “Options” and “See All Options”

Or

We can access ECP directly at https://owaurl/ecp

3.  In the upper left corner, select “Manage” “My Organization”

4.  In the Roles & Auditing / Administrator Roles section, select the “Discovery Management” role and click on “Details”

5.  In the Discovery Management details, under “Members”, add the person (or people) in your organization that you want to have the ability to create Search Queries as well as be able to put mailboxes on Litigation Hold, then click Save.

If we need to remove any user from discovery management then select the user and click remove then save.

This individual (or individuals) now have the ability to go to Step 3 to create and initiate a Search query (and put someone’s mailbox on Litigation Hold)

1. Create and Initiate a Search Query
   

The next step is to have the individual who has the right to create a query (the person in e-Discovery Step 1) to actually create a query.  The process is as follows:

1.  Logon to Outlook WebApp with a user who was given Discovery management rights from e-Discovery Step 1 (just like the user is logging in to check their email)

2.  On the upper right corner, select “Options” and “See All Options”

Or

We can access ECP directly at https://owaurl/ecp

3.  In the upper left corner, select “Manage” “My Organization”

4.  In the Mail Control / Discovery section, under the Multi-Mailbox Search section, click on “New” to create a new search query

5.  For the Search Query, enter in the keywords you want to search for:

 6.  In the Keywords section, click on the “Select message types…” and typically select “Search all messages types including one that may not be listed below” so that EVERYTHING is returned in the search results including email messages, posts, calendar appointments, notes, tasks, etc.  (by default, only “E-mail” is selected, thus Notes, tasks, IM Conversations, etc are skipped, which is usually not a good search result, so likely Search all message types)

7. In the Message from and to/cc/bcc we can type email addresses if we are searching for specific email address emails else we can leave them blank.

Date Range, we have to select the required range of date or select don’t limit the search by time range. If there is no date mention then it will search the mailbox till today from the date of creation.

8. In the “Mailboxes to Search” section, Add the mailbox/es that you wish to be searched and click OK

9. In the “Search Name Type, and Storage Location”, enter in a name of the search (something that will help you remember what this search is about, such as “Ticket number” or “UserId” or Date.  Select the “Copy the search results to the destination mailbox”.

Check the “Enable deduplication” when are doing for one mailbox and uncheck when you are doing for multiple mailbox and Enable Logging then select mailbox in which to store the search results as “DiscoverySearchMailbox” or any other mailbox (this is a recommended approach as to create a temporary mailbox and delete with TT closure) which is enabled for discovery from powershell.

To create a new dedicated mailbox for a Discovery Search we can run the following cmdlet:

It will be a good to have all Search mailboxes in a dedicated database because they will be huge in size so that we can configure short retention for this DB and keep it out of DAG.

“New-Mailbox NewDiscoverymbxmailnickname -Discovery –UserPrincipalName mailnickname@domainname.com”

Note: Once mailbox is created, we need to ensure that the non-system inherited permissions are removed (use EMC – Manage Full Access), e.g BESAdmin. We also need to add the account we require with Full Access same as primary discovery search mailbox.

note: while choosing to Enable deduplication saves space, you don’t end up with the key results in ALL mailboxes, and thus if you are searching in 7 different mailboxes, there’s only 1 copy of the message which isn’t good for true discovery.  If you are concerned about disk space, click on the “Estimate the search results” and run the estimate first to see how much space is needed which merely comes up with an estimate number and does not actually extract any information).  However, if you are good to start the search, then click on Save.

10.  The search (or estimate) will begin as soon as you click Save and dependent on how much information is being searched could take a few seconds or could take an hour.

In the Discovery page, you will see the search query noted.  Remember, this is a WebPage, so the page won’t automatically refresh with an update on the %-age of completion, so click on the Refresh icon periodically to see whether the search has “completed” or the %-age of the search.

11.  At any point, you can highlight the search query, click on the Details option, and change the keywords on the query.  Click the “Start Search” option to begin the new search, and remember to periodically click the refresh button option to check the status.

Once the Search has been Successful, we can give manage full permission to manage the discovery to any client user who is from security team

1. Grant and removing access to Search results:
   

Before granting the permission to any user, please ensure HR or Security team has approved it.

Open Exchange Management console à recipient configuration à right click and select find à then search for “discovery search mailbox” à right click on “discovery search mailbox” and select “Manage full access permission”. We will see the below screen shot.

1. Granting access
   

Click on + here and add the user then click on manage.

1. Removing access
   

Select the user and click on red x to remove the user then click on manage.

But sometimes this does not work or take time to give permission.

If this is not working then add the user to the discovery management as the heading 2 “Assign the Rights to Create a Search Query”

1. To restore items to a user’s mailbox from the Discovery Search mailbox:
   

Step 1 Assign the permission:

Add and remove sendas permission to the account on source and destination mailbox to export the mails to the user mailbox or PST using EMC.

Open Exchange Management console à recipient configuration à right click and select find à then search for “discovery search mailbox” à right click on “discovery search mailbox” and select “Manage Send As permission”. We will see the below screen shot.

1. Granting access
   

Click on + here and add the user then click on manage.

1. Removing access
   

Select the user and click on red x to remove the user then click on manage.

    OR

We can assign permission to a user for import and export of the emails using the below cmdlet:

New-ManagementRoleAssignment –Role “Mailbox Import Export” –User “<username>”

Step 2 Export the emails

Now we can run the below cmdlet to export to the user mailbox.

“Search-Mailbox “Discoverynnnnnn” -SearchQuery <search query> -TargetMailbox <user> -TargetFolder Restorefoldername”

Or

Export the emails to PST using following cmdlet. This cmd only works with the file share:

New-MailboxExportRequest -Mailbox “Discovery Search Mailbox” –FilePath “servernamesharefoldernamepstname.pst” -SourceRootFolder “SearchQueryname” –verborse

1. Removing new discovery search mailbox
   

To remove 2^nd discovery mailbox run the following cmdlet

Remove-mailbox –identity “mailnickname of the 2^nd discovery search mailbox”

Prabhat Nigam (Wizkid)
Team@ MSExchangeGuru

Posted June 27th, 2012 under Exchange 2010, Exchange Tools. RSS 2.0 feed. Leave a response, or trackback.