ExchangeBlog » Articles » Search-Mailbox search and remove emails

Search-Mailbox search and remove emails

  By Remigiusz Szatkowski | 03/09/2012 - 20:59 | , ,

This post is also available in: Polish

Each administrator of the Microsoft Exchange Server had certainly met or will meet with a situation where you have to find a specific email in the mailboxes, and sometimes even remove it.

In Microsoft Exchange 2010 to search mailboxes, we can successfully use the Search-Mailbox command.

But first make sure that we can run the command Mailbox-Search and
New-MailboxImportRequest.
If you try to run the New-MailboxImportRequest and reveive the message:

 “The term ‘New-MailboxImportRequest’ is not recognized as the name of a cmdlet”

 

This means that we do not have appropriate access rights.

Giving the appropriate permissions:

In Active Directory, create a universal security group such ExchangeImportExport_Allowed

Then in the EMS (Exchange Management Shell) give the appropriate roles (RBAC), this group as follows:

New-ManagementRoleAssignment -Name "Import Export Mailbox Admins" -SecurityGroup "*ExchangeImportExport_Allowed*" -Role "Mailbox Import Export"

 

Description of Search-Mailbox command:

Search-Mailbox

We must remember that if you use Search-Mailbox command with the option to remove the found message without copying them to another mailbox if the messages are permanently deleted.

The main three search options:

  1. DeleteContent – use this parameter to delete from the mailbox messages that meet the conditions specified in the command Search-Mailbox. We will not have access to any log messages that were deleted.
  2. LogOnly – using this parameter causes logging of information about messages that have been found, the log is saved in a file. csv, and is sent as an attachment for a mailbox defined in the command Search-Mailbox
  3. Copy emails – using parameters TargetMailbox and TargetFolder will copy all found messages to the specified folder in the specified mailbox.

 

Examples of use:

A search of a single mailbox, search specific email subject, email is not deleted only the results of your search will be saved in the target mailbox.

Search-Mailbox -Identity <name> -SearchQuery subject:"some subject" -TargetMailbox <name of mailbox> -TargetFolder <name of folder> -LogOnly -LogLevel Full
Search-Mailbox -Identity "John Smith" -SearchQuery subject:"Important message" -TargetMailbox Administrator -TargetFolder SearchLogs -LogOnly -LogLevel Full

 

Search in all mailboxes for email with specified attachment, search results are saved to Target Mailbox:

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment:<filename> -TargetMailbox <name of mailbox> -TargetFolder <name of folder> -LogOnly -LogLevel Full
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment:virus* -TargetMailbox Administrator -TargetFolder SearchLogs -LogOnly -LogLevel Full

 

Search all mailboxes and permanently delete all emails with specified subject:

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:<subject line> -DeleteContent
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:"Download this file" -DeleteContent

 

Search all mailboxes, and copy all results to Target Mailbox before delete:

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:<subject line> -TargetMailbox <name of mailbox> -TargetFolder <name of folder> -DeleteContent
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery subject:"Download this file" -TargetMailbox Administrator -TargetFolder DeletedMessages -DeleteContent

 

Search and remove all messages with specified sender and specified subject:

Get-Mailbox -Identity “John Smith” | Search-Mailbox -SearchQuery subject:”This is SPAM!”,from:”spammer@spam.com” -DeleteContent
Get-Mailbox -resultsize unlimited | Search-Mailbox -SearchQuery subject:”This is SPAM!”,from:”spammer@spam.com” -DeleteContent

 

To search and remove messages received or sent between dates :

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery "Sent:> $('2011-12-31') and Sent:< $('2012-06-01')" -Confirm:$false -Force -TargetMailbox "targetuser" -TargetFolder "SearchAndDeleteLog" -LogLevel Full -DeleteContent
Search-Mailbox -identity somemailbox -searchQuery "Received:< $(get-date).addDays(-2)" -DeleteContent
Search-Mailbox -Identity “mailbox_name” -SearchQuery “Received:> $(’10/01/2012') and Received:< $(’10/05/2012')” -DeleteContent

 

The following table lists common message properties that you can include in the value for theSearchQuery parameter.

Property Example Search results
Attachments attachment:annualreport.ppt Messages that have an attachment that is named annualreport.ppt. The use of attachment:annualreport or attachment:annual* returns the same results as using the full name of the attachment.
Cc cc:”gurinder singh”cc:gurinderscc: gurinders@fineartschool.edu Messages with Gurinder Singh in the Cc field
From from:”Max Stevens”from:maxsfrom:maxs@contoso.com Messages sent by Max Stevens
Sent sent:10/19/2010 Messages that were sent on October 19, 2010
Subject subject:”Quarterly Financials” Messages that contain the exact phrase “Quarterly Financials” in the subject line
To to:”Judy Lew”to:judylto:judyl@contoso.com Messages sent to Judy Lew
Print Friendly


Related posts:

  1. Exam 70-417 Upgrading Your Skills To MCSA Windows Server 2012 – free online training
  2. Exchange 2010 remove mobile device Error The ActiveSyncDevice Cannot be Found
  3. Exchange Server 2013 Deployment Assistant Updated
  4. Microsoft Outlook Configuration Analyzer Tool 2.0 (OCAT)
  5. Microsoft Outlook Configuration Analyzer Tool 2.0 only in OffCAT
Tagged , , , , , . Bookmark the permalink.

3 Responses to Search-Mailbox search and remove emails

  1. hello says:
    13/02/2014 at 09:20

    Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment: -TargetMailbox -TargetFolder -LogOnly -LogLevel Full

    are you sure it works ?
    “attachment:” i can’t find any info to say that it works…
    and in my invironment it also not works

    Reply
    • Remigiusz Szatkowski says:
      14/02/2014 at 08:03

      Yes it works, you need to specify name of attachment
      Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery ‘Attachment:”some.pdf”‘ -TargetMailbox usermbx -TargetFolder PDFAttachments -LogOnly -LogLevel Full
      or try this one:
      Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery ‘Attachment:”some.pdf”‘ -TargetMailbox “usermbx” -TargetFolder “PDFAttachments” -LogOnly -LogLevel Full

      more information you can find here:
      http://technet.microsoft.com/en-us/library/bb232132(v=exchg.141).aspx

      Reply
  2. Jake says:
    02/04/2015 at 20:00

    Thanks for listing the common message properties, it helped me. Do you know where to find a full list? For example, when I try to use search-mailbox with the “-searchdumpsteronly” switch, I would like to avoid pulling in all the old meeting notices and only pull in the message types. Is there a way to use the search-query to only pull the IPM.Note class items? I use this frequently to restore mailboxes from the purges folder, but I don’t want to restore calendar items.

    Reply

Leave a Reply to Remigiusz Szatkowski Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>