Search-Mailbox: How to Find and Delete Email from Exchange User Mailboxes

An Exchange server permits an administrator to search person mailboxes within the databases and delete sure emails (or different gadgets) from the mailboxes. For instance, a person has unintentionally despatched personal knowledge to different customers in an organization and couldn’t recall this electronic mail in Outlook in time. The data safety division requires that you just because the Exchange administrator delete this electronic mail from all person’s mailboxes in your Exchange group. In this text we’ll present how to use EnergyShell to search the Exchange person mailboxes (by totally different standards) and delete sure emails from the mailbox of the precise person or all Exchange customers. The strategies described under are relevant to Exchange 2016, 2013 and 2010.

How to Assign Permissions to Search by way of Exchange Mailboxes?

The following roles have to be assigned to the administrator account who searches for and deletes mailbox gadgets:

  • Mailbox Import Export
  • Mailbox Search

You can assign the roles utilizing EAC or these EnergyShell instructions:

New-ManagementRoleAssignment -User j.anderson -Role "Mailbox Import Export"
New-ManagementRoleAssignment -User j.anderson -Role "Mailbox Search”

exchange roles: Mailbox Import Export, Mailbox Search

After the roles have been assigned, restart the Exchange Management Shell console.

Using the Search-Mailbox to Search & Delete Messages from Exchange User Mailboxes

You may also seek for electronic mail gadgets within the person mailboxes utilizing the Exchange Control Panel or Exchange Admin Center, however this search methodology is sort of gradual and doesn’t permit you to take away electronic mail messages. It is way simpler to search utilizing EnergyShell.

To search electronic mail gadgets in person mailboxes, you should utilize the Search-Mailbox cmdlet that enables you to search gadgets that meet sure standards in all or particular mailboxes, copy the discovered gadgets to one other mailbox or take away them.

First of all, let’s think about, how to discover one thing utilizing the Search-Mailbox cmdlet.
To search a mailbox for gadgets with a selected topic, run this command:
Search-Mailbox -Identity okay.peterson -SearchQuery 'Subject:"Annual Report"'
To search all mailboxes within the Exchange group, use the next command:
Get-Mailbox -ConsequenceSize limitless | Search-Mailbox -SearchQuery 'Subject:"Annual Report"'

To copy the search outcomes to a sure mailbox and folder, use the GoalMailbox or TargetFolder parameters. Thus, after the search is accomplished, you possibly can view the discovered gadgets manually utilizing Outlook or OWA. Suppose you want to seek for electronic mail messages in checklist of customers (given in customers.txt) and copy the discovered gadgets to the folder within the particular mailbox. To do it, run this command:

get-content customers.txt | Get-Mailbox -ConsequenceSize limitless | Search-Mailbox -SearchQuery 'Subject:"Annual Report"' -GoalMailbox sec_dept -TargetFolder "ExchSearchConsequence”

The –LogOnly parameter implies that search outcomes should solely be estimated with out copying gadgets to a goal mailbox or deleting the messages. If this argument is used, a report containing the search outcomes will probably be despatched to the desired goal mailbox. A report is an archived CSV file that lists mailboxes assembly the search standards.

You can estimate the search outcomes utilizing the –EstimateResultOnly parameter. Please, notice that when utilizing this argument you don’t want to specify a goal mailbox or folder.

To take away the discovered electronic mail gadgets, use the –DeleteContent material parameter, and to skip affirmation requests to delete gadgets, add the –Force parameter.

Let’s delete all electronic mail messages from the sender [email protected] in all mailboxes on the precise Exchange server:

Get-Mailbox –Server berl-ex1 –ConsequenceSize limitless | Search-Mailbox -SearchQuery 'from:"[email protected]"' –DeleteContent material –Force

Prior to deleting messages from mailboxes utilizing the -DeleteContent material parameter, we strongly advocate to look by way of the discovered emails utilizing the -EstimateResultOnly or –LogOnly arguments.

Get-Mailbox: DeleteContent parameter

To search solely amongst deleted components, add the –SearchDumpsterOnly parameter (to exclude search among the many deleted gadgets, add the -SearchDumpster:$false argument). If you want to exclude from the search outcome an archive mailbox, use the –DoNotIncludeArchive parameter.

Search-Mailbox: Search Query Examples

Let’s think about the examples of search queries to discover electronic mail messages utilizing the SearchQuery parameter. The SearchQuery key processes queries within the KQL (Keyword Query Language) —

To take away all electronic mail messages containing the key phrase “Secret” within the topic of the emails from all customers not from your area:

Search-Mailbox -Identity okay.peterson -SearchQuery 'Subject:"Secret" and from<>””' -DeleteContent material

Find and delete all emails with the exceeding 20 MB:

Search-Mailbox -Identity okay.peterson -SearchQuery 'hasattachment:true AND Size >20971520' –DeleteContent material

Tip. The measurement of the e-mail gadgets is laid out in bytes, and the scale of the entire message is counted, not solely the attachments. You may also specify the scale in megabytes, and on this case the next syntax is used: -SearchQuery .

You can concurrently seek for the textual content within the topic and physique of the e-mail. For instance, let’s discover and delete all messages containing “New Year” within the topic or “brandy” within the electronic mail physique.

Search-Mailbox okay.peterson -SearchQuery -DeleteContent material -Force

You can search the mailboxes for sure components utilizing Kind argument, for instance:

Meetings: -SearchQuery "Kind:conferences"
Contacts: -SearchQuery "Kind:contacts"

Or different Outlook components:

  • Email
  • Meetings
  • Tasks
  • Notes
  • Docs
  • Journals
  • Contacts
  • IM

Searching emails by the precise recipient or sender:

-SearchQuery 'from:"[email protected]" AND to:"[email protected]"'

You can search messages with the precise file as an attachment:

-SearchQuery 'attachment:"annual_report2018.pdf"'

Or by file sort:

-SearchQuery 'attachment -like:"*.docx"'

You can search by ship/receipt date, however there are some nuances. When utilizing a date as a search criterion, you should think about the regional settings of your Exchange server. For instance, April 10, 2019 could also be laid out in one of many following methods:

  • 10/04/2019
  • 04/10/2019
  • 10-Apr-2019
  • 10/April/2019

And for those who see the error “The KQL parser threw an exception…” when operating Search-Mailbox command, it means that you’re utilizing the improper date format.

To seek for emails despatched on a selected day, use this question:

-SearchQuery despatched:04/10/2019

If you want to specify the vary of dates (you might be searching for the messages obtained within the specified time interval):


Here is one other instance. Let’s search the e-mails obtained earlier than May 9:


Search-Mailbox Cmdlet Restrictions

The Search-Mailbox cmdlet has a major limitation: it will probably return solely 10,000 components. If this restrict is exceeded it can return the error:

Sending knowledge to a distant command failed with the next error message: The complete knowledge obtained from the distant shopper exceeded allowed most. Allowed most is 524288000.

Search-Mailbox The total data received from the remote client exceeded allowed maximum

In order to delete extra electronic mail gadgets, you should have to run Search-Mailbox cmdlet a number of occasions or break up the mailboxes into teams by mailbox databases or Exchange servers.

Get-Mailbox -Database berl-ex1 | Search-Mailbox –SearchQuery 'from:[email protected]' -DeleteContent material –Force

Another Search-Mailbox drawback is its low efficiency. In case of a big firm, the search could final for a number of days.

How to Quickly Find and Delete EMails in Exchange 2016 Using New-ComplianceSearch?

In Exchange 2016, a brand new approach appeared that enables you to shortly discover and delete electronic mail messages in person mailboxes.

Using these instructions, you possibly can considerably slim the search space:

New-ComplianceSearch -Name QuickSearch1 -ExchangeLocation all -ContentMatchQuery 'from:"[email protected]"'
Start-ComplianceSearch -Identity QuickSearch1

These instructions search by way of a number of thousand mailboxes for some minutes.

Next you want to get the checklist of mailboxes that meet the search standards:

$search = Get-ComplianceSearch –Identity QuickSearch1
$outcomes = $search.SuccessResults
$mbxs = @()
$traces = $outcomes -split '[rn]+'
foreach ($line in $traces)

Now you possibly can take away emails utilizing the Search-Mailbox cmdlet solely within the discovered mailboxes:

$mbxs | Get-Mailbox| Search-Mailbox -SearchQuery 'from:"[email protected]"' -DeleteContent material –Force

The complete search and delete time is decreased a number of occasions, particularly in massive corporations.

Now you possibly can delete the search outcomes:

Remove-ComplianceSearch –Identity QuickSearch1

Check Also

How to Enable and Configure MPIO on Windows Server 2016/2012R2?

In this text we’ll contemplate how to set up and configure MPIO on Windows Server …

Leave a Reply

Your email address will not be published. Required fields are marked *