Search For and Delete Messages from Users' Mailboxes

[This topic is in progress.]  

Applies to: Office 365 for enterprises, Live@edu

Topic last modified: 2011-11-23

From time to time, administrators need to search for and delete inappropriate or potentially harmful e-mail messages sent to multiple mailboxes across their organization. For example, e-mail messages can contain viruses or links to download a virus, inappropriate content, such as adult-related material, or confidential information that was accidentally sent to the wrong people.

You can't use Multi-Mailbox Search in the Exchange Control Panel for this purpose, but, in Windows PowerShell, you can do it, using the Search-Mailbox cmdlet with the DeleteContent switch parameter.

Important   When you use the Search-Mailbox cmdlet with the DeleteContent parameter, messages are permanently deleted from the user's mailbox and can't be recovered.

Before you begin

UNRESOLVED_TOKEN_VAL(<rte:TA_RPSBeforeYouBegin>)

Assign the required RBAC roles

You have to be assigned the following roles to search for and delete messages in users' mailboxes:

  • Mailbox Search   This role allows you to search for messages across multiple mailboxes in your organization. Administrators aren't assigned this role by default. To search multiple mailboxes, add yourself as a member of the Discovery Management role group. See Add or Remove Role Group Members.

  • Mailbox Import Export   This role allows you to delete messages from a user's mailbox. This role isn't assigned to administrators by default. To delete messages from users' mailboxes, add the Mailbox Import Export role to the Organization Management role group. See Edit Role Group Properties.

Collect information for the search query

You need to obtain and review a few copies of the infected or inappropriate message so you can create a search query that will find it.

Top of page

Search and delete options

You can use the Search-Mailbox cmdlet with the DeleteContent parameter to search for and delete messages in one step. However, when you do this, you can't preview the search results or generate a log that records which messages were returned by the search. This means you won't know which messages were deleted.

A better option is to first run the Search-Mailbox cmdlet with the LogOnly parameter. This command generates a log that contains information about all the results that meet the search criteria but it doesn't delete the messages. This information is provided in a comma-separated value (CSV) file that is attached to an e-mail message sent to the mailbox and folder you define by using the TargetMailbox and TargetFolder parameters with the Search-Mailbox cmdlet. After you review the log, you can refine the search criteria and rerun a log-only search as needed, or run the search with the DeleteContent parameter.

A third option is to first copy the offending message before you delete it from the user's mailbox so you can access it later if necessary. Do this by including the TargetMailbox and TargetFolder parameters in the command that you run to delete the message.

Top of page

Search for messages and log the search results

Let's walk through some examples of what you can do with the Search-Mailbox cmdlet. For a list of the message properties that you can include in the value for the SearchQuery parameter, see E-mail message properties to search.

Search a single mailbox

The following command searches a specific mailbox in your organization for messages with a specific value in the Subject line and then sends a message with the results to the target mailbox. Messages aren't deleted from the mailbox that is searched.

Search-Mailbox -Identity <name> -SearchQuery subject:"<verbatim subject line>" -TargetMailbox <name of mailbox> -TargetFolder <name of folder> -LogOnly -LogLevel Full

Example   The following command searches Pilar Pinilla's mailbox for messages that have the phrase Download this file in the Subject field and logs the search results in the SearchLogs folder in the administrator's mailbox.

Search-Mailbox -Identity "Pillar Pinilla" -SearchQuery subject:"Download this file" -TargetMailbox Administrator -TargetFolder SearchLogs -LogOnly -LogLevel Full
Search all mailboxes

The following command searches all mailboxes in your organization for messages that have a specific file attached and then sends a message with the results to the target mailbox. Messages aren't deleted from the mailboxes searched.

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment:<filename> -TargetMailbox <name of mailbox> -TargetFolder <name of folder> -LogOnly -LogLevel Full

Example   The following command searches all mailboxes for messages that have any type of attached file named Trojan and sends a log message to the administrator's mailbox.

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment:trojan* -TargetMailbox Administrator -TargetFolder SearchLogs -LogOnly -LogLevel Full

Top of page

Search for and delete messages

The following command searches all mailboxes and deletes any message that has specific text in the Subject line:

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:<verbatim subject line> -DeleteContent

Example   The following command searches all the mailboxes for messages with the subject line Download this file, and then permanently deletes them.

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:"Download this file" -DeleteContent

Important   Before you permanently delete messages, we recommend that you either use the LogOnly parameter to generate a log of the messages found in the search before they're deleted, or copy the messages to another mailbox before deleting them from the source mailbox.

Copy a message before deleting it

The following command searches all mailboxes for any message that has specific text in the Subject line, copies the actual search results to a folder, and then deletes all the messages that meet the search criteria.

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:<verbatim subject line> -TargetMailbox <name of mailbox> -TargetFolder <name of folder> -DeleteContent

Example   The following command searches all mailboxes for messages with the subject line Download this file, copies the search results to the DeletedMessages folder in the administrator's mailbox, and then permanently deletes the messages from users' mailboxes.

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:"Download this file" -TargetMailbox Administrator -TargetFolder DeletedMessages -DeleteContent

Top of page

E-mail message properties to search

The following table lists common message properties that you can include in the value for the SearchQuery parameter.

 

Property Example Search results

Attachments

attachment:annualreport.ppt

Messages that have an attachment that is named annualreport.ppt. The use of attachment:annualreport or attachment:annual* returns the same results as using the full name of the attachment.

Cc

cc:"gurinder singh"

cc:gurinders

cc: gurinders@fineartschool.edu

Messages with Gurinder Singh in the Cc field

From

from:"Max Stevens"

from:maxs

from:maxs@contoso.com

Messages sent by Max Stevens

Sent

sent:10/19/2010

Messages that were sent on October 19, 2010

Subject

subject:"Quarterly Financials"

Messages that contain the exact phrase "Quarterly Financials" in the subject line

To

to:"Judy Lew"

to:judyl

to:judyl@contoso.com

Messages sent to Judy Lew

 
Related help topics
Loading...
No resources were found.