This post is also available in: Polish
Each administrator of the Microsoft Exchange Server had certainly met or will meet with a situation where you have to find a specific email in the mailboxes, and sometimes even remove it.
In Microsoft Exchange 2010 to search mailboxes, we can successfully use the Search-Mailbox command.
But first make sure that we can run the command Mailbox-Search and
If you try to run the New-MailboxImportRequest and reveive the message:
“The term ‘New-MailboxImportRequest’ is not recognized as the name of a cmdlet”
This means that we do not have appropriate access rights.
Giving the appropriate permissions:
In Active Directory, create a universal security group such ExchangeImportExport_Allowed
Then in the EMS (Exchange Management Shell) give the appropriate roles (RBAC), this group as follows:
New-ManagementRoleAssignment -Name "Import Export Mailbox Admins" -SecurityGroup "*ExchangeImportExport_Allowed*" -Role "Mailbox Import Export"
Description of Search-Mailbox command:
We must remember that if you use Search-Mailbox command with the option to remove the found message without copying them to another mailbox if the messages are permanently deleted.
The main three search options:
- DeleteContent – use this parameter to delete from the mailbox messages that meet the conditions specified in the command Search-Mailbox. We will not have access to any log messages that were deleted.
- LogOnly – using this parameter causes logging of information about messages that have been found, the log is saved in a file. csv, and is sent as an attachment for a mailbox defined in the command Search-Mailbox
- Copy emails – using parameters TargetMailbox and TargetFolder will copy all found messages to the specified folder in the specified mailbox.
Examples of use:
A search of a single mailbox, search specific email subject, email is not deleted only the results of your search will be saved in the target mailbox.
Search-Mailbox -Identity <name> -SearchQuery subject:"some subject" -TargetMailbox <name of mailbox> -TargetFolder <name of folder> -LogOnly -LogLevel Full
Search-Mailbox -Identity "John Smith" -SearchQuery subject:"Important message" -TargetMailbox Administrator -TargetFolder SearchLogs -LogOnly -LogLevel Full
Search in all mailboxes for email with specified attachment, search results are saved to Target Mailbox:
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment:<filename> -TargetMailbox <name of mailbox> -TargetFolder <name of folder> -LogOnly -LogLevel Full
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment:virus* -TargetMailbox Administrator -TargetFolder SearchLogs -LogOnly -LogLevel Full
Search all mailboxes and permanently delete all emails with specified subject:
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:<subject line> -DeleteContent
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:"Download this file" -DeleteContent
Search all mailboxes, and copy all results to Target Mailbox before delete:
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:<subject line> -TargetMailbox <name of mailbox> -TargetFolder <name of folder> -DeleteContent
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:"Download this file" -TargetMailbox Administrator -TargetFolder DeletedMessages -DeleteContent
Search and remove all messages with specified sender and specified subject:
Get-Mailbox -Identity “John Smith” | Search-Mailbox -SearchQuery subject:”This is SPAM!”,from:”email@example.com” -DeleteContent
Get-Mailbox -resultsize unlimited | Search-Mailbox -SearchQuery subject:”This is SPAM!”,from:”firstname.lastname@example.org” -DeleteContent
To search and remove messages received or sent between dates :
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery "Sent:> $('2011-12-31') and Sent:< $('2012-06-01')" -Confirm:$false -Force -TargetMailbox "targetuser" -TargetFolder "SearchAndDeleteLog" -LogLevel Full -DeleteContent
Search-Mailbox -identity somemailbox -searchQuery "Received:< $(get-date).addDays(-2)" -DeleteContent
Search-Mailbox -Identity “mailbox_name” -SearchQuery “Received:> $(’10/01/2012') and Received:< $(’10/05/2012')” -DeleteContent
The following table lists common message properties that you can include in the value for theSearchQuery parameter.
|Attachments||attachment:annualreport.ppt||Messages that have an attachment that is named annualreport.ppt. The use of attachment:annualreport or attachment:annual* returns the same results as using the full name of the attachment.|
|Cc||cc:”gurinder singh”cc:gurinderscc: email@example.com||Messages with Gurinder Singh in the Cc field|
|From||from:”Max Stevens”from:maxsfrom:firstname.lastname@example.org||Messages sent by Max Stevens|
|Sent||sent:10/19/2010||Messages that were sent on October 19, 2010|
|Subject||subject:”Quarterly Financials”||Messages that contain the exact phrase “Quarterly Financials” in the subject line|
|To||to:”Judy Lew”to:judylto:email@example.com||Messages sent to Judy Lew|
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment: -TargetMailbox -TargetFolder -LogOnly -LogLevel Full
are you sure it works ?
“attachment:” i can’t find any info to say that it works…
and in my invironment it also not works
Yes it works, you need to specify name of attachment
Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery ‘Attachment:”some.pdf”‘ -TargetMailbox usermbx -TargetFolder PDFAttachments -LogOnly -LogLevel Full
or try this one:
Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery ‘Attachment:”some.pdf”‘ -TargetMailbox “usermbx” -TargetFolder “PDFAttachments” -LogOnly -LogLevel Full
more information you can find here:
Thanks for listing the common message properties, it helped me. Do you know where to find a full list? For example, when I try to use search-mailbox with the “-searchdumpsteronly” switch, I would like to avoid pulling in all the old meeting notices and only pull in the message types. Is there a way to use the search-query to only pull the IPM.Note class items? I use this frequently to restore mailboxes from the purges folder, but I don’t want to restore calendar items.