In this article by Biswanath Banerjee, the author of the book Microsoft Exchange Server PowerShell Essentials, we are going to discuss about the new features in Exchange 2013 and 2016 release that will help organizations meet their compliance and E-discovery requirements.

Let’s learn about the Auditing and E-discovery features available in Exchange 2013 and online.

(For more resources related to this topic, see here.)

The following topics will be covered in this Article:-

• New features in Exchange 2016
• The In-place hold
• Retrieving and exporting emails for Auditing
• Retrieving content using KQL queries
• Searching and removing emails from the server
• Enabling Auditing and understanding its usage
• Writing a basic script

Now, let’s review different features in Exchange 2013 and 2016 that can be used by organizations to meet their compliance requirements:

• The In-place hold: In Exchange 2010, when a mailbox is enabled for a feature called the Litigation hold, all mailbox data will be stored until the hold is removed. With Exchange 2013 and 2016 release, the In-place hold allows the Administrators granularity compared to the Litigation hold feature in Exchange 2010. Now, administrators can choose what to hold and for how long the hold to work.
• In Place E-Discovery: In Exchange 2010, when you run a discovery search, it will copy the items matching the searched criteria into a discovery mailbox from which you can export it to a PST file or provide access to a group of people. In Exchange, when you run the discovery search, you can see the results live from your search. You will also get an option to create a saved search to be used later with minor modifications if required.
• Audit logs: In Exchange 2013 and 2016, you can enable two types of audit logging:
  • Administrator audit logs: Administrator audit logs will record any action performed by the administrator using tools such as Exchange Admin Center and Exchange management shell
  • Mailbox Audit logs: Mailbox audit logs can be enabled for individual mailboxes and will store the log entries in their Recoverable items audits subfolder

The In-Place hold

The Exchange 2013 and 2016 release allows admins to create granular hold policies by allowing them to preserve items in the mailbox using the following scenarios:

• Indefinite hold: This feature is called Litigation hold in Exchange 2010, and it allows mailbox items to be stored indefinitely. The items in this case are never deleted. It can be used where a group of users are working on some highly sensitive content that might need a review later.

  The following example sets the mailbox for Amy Alberts on the Litigation hold (in Exchange 2010) for indefinite hold:

  Set-Mailbox -Identity amya -LitigationHoldEnabled $True

  In Exchange 2013 and 2016, you will need to use the New-MailboxSearch cmdlet without any parameters as shown next to get the same results:

  New-MailboxSearch "Amy mailbox hold" -SourceMailboxes "[email protected]" -InPlaceHoldEnabled $True

  The same can be achieved using the In-place E-discovery and hold wizard in Exchange Admin Center as shown in the following screenshot: 

  

• The Query-based hold: Using this, you can specify keywords, date, message types, and recipient addresses, and only the one’s specified in the query will be stored. This is useful if you don’t want to enable all your mailboxes for indefinite hold.
• The Time-based hold: This will allow admins to hold items during a specific period. The duration is calculated from the date and time the item is received or created.

The following example creates a Query-based and Time-based In-place hold for all the mailboxes that are part of the distribution group Group-Finance and hold every e-mail, meeting, or IM that contains the keywords Merger and Acquisition for 2 years:

New-MailboxSearch "Acquisition-Merger" -SourceMailboxes Group-Finance -InPlaceHoldEnabled $True –ItemHoldPeriod 730 -SearchQuery '"Merger" and "Acquisition"' –MessageTypes Ema il,Meetings,IM

The Recoverable items folder in each mailbox is used to store items using litigation and In-place hold. The subfolders used to store items are Deletions, Purges, Discovery holds, and versions. The versions folder is used to make a copy of the items before making changes using a process called as copy-on-write. This ensures that the original as well as modified copies of the items are stored in the versions folder. All these items are indexed by Exchange search and returned by the In-Place discovery search.

The Recoverable items folder has its own storage quota, and it’s different for Exchange 2013/2016 and Exchange online. For Exchange 2013 and 2016 deployments, the default value of RecoverableItemsWarningQuota and RecoverableItemsQuota are set to 20 GB and 30 GB respectively. These properties can be managed using the Set-MailboxDatabase and Set-Mailbox cmdlets. It is critical for administrators to monitor your quota messages logged in the Application event logs as users will not be able to permanently delete items, nor they will be able to empty the deleted items folder if the Recoverable Items Quota is reached. The copy-on-write feature will not work for obvious reasons.

For the Exchange online, if a mailbox is placed on litigation hold, the size of the Recoverable items folder is set to 100 GB.

If email forwarding is enabled for mailboxes, which are on hold and a message is forwarded without a copy to the original mailbox, Exchange 2013 will not capture that message. However, if the mailbox is on Exchange 2016 or Exchange online, and the message that is forwarded meets the hold criteria for the mailbox, a copy of the message will be saved in the Recoverable items folder and can be searched using the E-Discovery search later on.

Retrieving and exporting Emails for Auditing using In-Place E-discovery

Now, we have seen how to place mailboxes on hold. In this topic, you will learn how to search and retrieve mailbox items using the E-discovery search in Exchange 2013, 2016 and Exchange online. The In-place eDiscovery and hold wizard in Exchange Admin Center allows authorized users to search the content based on sender, recipient, keywords, start, and end dates. The administrators can then take the actions such as estimating, previewing, copying, and exporting search results.

The following screenshot shows an example of a search result:

Search starting Exchange 2013 uses Microsoft Search Foundation with better indexing and querying functionalities and performances. As the same search foundation is used with SharePoint and other office products, the e-discovery search can now be performed from both Exchange and SharePoint environments with the same results. The query language used by In-Place eDiscovery is Keyword Query Language (KQL), which you will learn in the next section.

The following figure shows how to use the search query using KQL syntax and time range fields:

You can also specify the message types to be returned in the search results as shown in the following screenshot:

Once you have estimated the search items, you can then preview and export the items to a PST file or a discovery mailbox as shown in the following screenshot:

Let’s see how to use the same query in PowerShell using New-MailboxSearch cmdlet. Here, -SourceMailboxes will define mailboxes to be searched between 1st January 2014 to 31st December 2014 using the -StartDate and -EndDate parameters. The -SearchQuery parameter is used for KQL (Keyword Query Language) with words such as merger or acquisition. The results will be copied to the Legal-Mergers discovery mailbox specified using the -TargetMailbox parameter. Finally, status reports are sent to the group called [email protected] when the search is completed and specified using the -StatusMailRecipient parameter:

New-MailboxSearch "Acquisition-Merger" -SourceMailboxes [email protected],[email protected] -SearchQuery '"Merger" OR "Acquisition"' -TargetMailbox Legal-Mergers -StartDate "01/01/2014" -EndDate "12/31/2014" -StatusMailRecipients [email protected]

Retrieving content using the KQL queries

KQL consists of free text keywords including words, phrases, and property restrictions. The KQL queries are case-insensitive, but the operators are not and have to be specified in uppercase. A free text expression in a KQL query can be a word without any spaces or punctuation or a phrase enclosed in double quotation marks.

The following examples will return the content that have the words Merger and Acquisition:

merger acquisition
merge* acquisition
acquistion merg*

It is important to note that KQL queries do not support suffix matching. It means you cannot use a wildcard (*) operator before a word or phrase in a KQL query.

We can use Property restrictions in a KQL query in the following format. There should not be any space between the Property name, the Property operator, and the Property value:

<Property Name><Property Operator><Property Value>

For example, author “John Doe” will return content whose author is John Doe;

filetype:xlsx will return Excel spreadsheets; and title:”KQL Query” will return results with the content KQL query in the title:

You can combine these property restrictions to build complex KQL queries.

For example, the following query will return the content authored by John Doe or Jane Doe. It can be used in the following formats. Both the formats will return the same results:

author:"John Doe" author:"Jane Doe"
author:"John Doe" OR author:"Jane Doe"

If you want to search for all the word documents authored by Jane Doe, you will use either of the formats:

author:"Jane Doe" filetype:docx
author:"Jane Doe" AND filetype:docx

Now let’s take a look at the use of the Proximity operators called NEAR and ONEAR, which are used the search items in close proximity to each other.

The NEAR operator matches the results where the search terms are in close proximity without preserving the order of the terms:

<expression> NEAR(n=5) <expression>

Here, n >= 0 with a default value of 8 indicates the maximum distance used between the terms; for example, merger NEAR acquistion.

This will return results where the word merger is followed by acquisition and vice versa by up to eight other words.

If you want to find content where the term acquisition is followed by the term merger for up to five terms but not the other way round, use the ONEAR operator that maintains the order of the terms specified in the query. The syntax is the same as the NEAR operator with a default value of n = 8:

"acquisition" ONEAR(n=5) "merger"

Searching and removing emails from the server

There will be times when you as an Exchange administrator would get request to log or delete specific items from the user’s mailboxes. The Search-Mailbox cmdlet helps you to search a mailbox or a group of mailboxes for a specific item, and it also allows you to delete them.

You need to be part of the Mailbox Search and Mailbox Import Export RBAC roles to be able to search and delete messages from a user’s mailbox.

The following example searches John Doe’s mailbox for emails with subject “Credit Card Statement” and logs the result in the Mailbox Search Log folder in the administrator’s mailbox:

Search-Mailbox -Identity "John Doe" -SearchQuery 'Subject:"Credit Card statement"' -TargetMailbox administrator -TargetFolder "MailboxSearchLog" -LogOnly -LogLevel Full

The following example searches all mailboxes for attachments that have word “Virus” as the file name and logs it in Mail box Search log in the administrator’s mailbox:

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment:virus* -TargetMailbox administrator -TargetFolder "MailboxSearchLog" -LogOnly -LogLevel Full

You can use the search mailbox to delete content as well. For example, the following cmdlet will delete all emails with subject line “Test Email” from Amy Albert’s mailbox:

Search-Mailbox -Identity "Amy Albert" -SearchQuery 'Subject:"Test Email"' -DeleteContent

If you want to keep a backup of Amy Albert’s mailbox content to a “BackupMailbox” before permanently deleting them, use the following command:

Search-Mailbox -Identity "Amy Albert" -SearchQuery 'Subject:"Test Email"' -TargetMailbox "BackupMailbox" -TargetFolder "amya-DeletedMessages" -LogLevel Full -DeleteContent

Enable Auditing and understanding its usage

We will discuss about the following two types of audit logs available in Exchange 2013:

• Administrator audit logs
• Mailbox audit logs

Administrator audit logs

Administrator audit logs are used to log when a cmdlet is executed from Exchange Management Shell or Exchange Admin Center except the cmdlets that are used to display information such as the Get-* and Search-* cmdlets. By default, Administrator audit log is enabled for new Exchange 2013/2016 installations.

The following command will audit all cmdlets. Note that this is the default behavior. So, if this is a new installation of Exchange 2013 and 2016, you don’t have to make any changes. You have to only run this if you have made some changes using the Set-AdminAuditLogConfig cmdlet earlier:

Set-AdminAuditLogConfig -AdminAuditLogCmdlets *

Now, let’s say you have a group of delegated administrators managing your Exchange environment, and you want to ensure that all the management tasks are logged. For example, you want to audit cmdlets that make changes to the mailbox, distribution groups, and management roles. You will type the following cmdlet:

Set-AdminAuditLogConfig -AdminAuditLogCmdlets *Mailbox,*Management*,*DistributionGroup*

The previous command will audit the cmdlets along with the specified parameters. You can take this a step further by specifying which parameters you want to monitor. For example, you are trying to understand why there is an unequal distribution of mailboxes in your databases and incorrect entries in the Custom Attribute properties for your user mailboxes. You will run the following command that will only monitor these two properties:

Set-AdminAuditLogConfig -AdminAuditLogParameters Database,Custom*

By default, 90 days is the age of the audit logs and can be changed using the –AdminAuditLogAgeLimit parameter. The following command sets the audit login age to 2 years:

Set-AdminAuditLogConfig -AdminAuditLogAgeLimit 730.00:00:00

By default, the cmdlet with a Test verb is not logged as it generates lot of data. But, if you are troubleshooting an issue and want to keep a record of it for a later review, you can enable them using this:

Set-AdminAuditLogConfig -TestCmdletLoggingEnabled $True

Disabling and enabling to view the admin audit log settings can be done using the following commands:

Set-AdminAuditLogConfig -AdminAuditLogEnabled $False
Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
Get-AdminAuditLogConfig

Once Auditing is enabled, you can search the audit logs using the Search-AdminAuditLog and New-AdminAuditLogsearch cmdlets. The following example will search the logs for the Set-Mailbox cmdlets with the following parameters from 1st January 2014 to 1st December 2014 for users—Holly Holt, Susan Burk, and John Doe:

Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota,ProhibitSendReceiveQuota,IssueWarningQuota -StartDate 01/01/2014 -EndDate 12/01/2014 -UserIds hollyh,susanb,johnd

This command will search for any changes made for Amy Albert’s mailbox configuration from 1st July to 1st October 2015:

Search-AdminAuditLog -StartDate 07/01/2015 -EndDate 10/01/2015 -ObjectID contoso.com/Users/amya

This cmdlet is similar to the previous cmdlet with one difference that it uses the parameter called -StatusMailRecipients to send email with the subject line a called “Mailbox Properties Changes” to [email protected]:

New-AdminAuditLogSearch -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize, MaxReceiveSize -StartDate 08/01/2015 -EndDate 10/01/2015 -UserIds hollyh,susanb,johnd -StatusMailRecipients [email protected] -Name "Mailbox Properties changes"

Mailbox audit logs

Mailbox audit logging feature in Exchange 2013 and 2016 allows you to log mailbox access by owners, delegates, and administrators. They are stored in Recoverable Items in the Audits subfolder. By default, the logs are retained for up to 90 days. You need to use Set-Mailbox with the AuditLogAgeLimit parameter to increase the retention period of the audit logs.

The following command will enable mailbox audit logging for John Doe’s mailbox, and the logs will be retained for 6 months:

Set-Mailbox -Identity "John Doe" -AuditEnabled $true -AuditLogAgeLimit 180.00:00:00

The command disables audit logging for Holly Holt’s mailbox:

Set-Mailbox -Identity "Holly Holt" -AuditEnabled $false

If you just want to log the SendAs and SendOnBehalf actions on Susan Burk’s mailbox, type this:

Set-Mailbox -Identity "Susan Burk" -AuditDelegate SendAs,SendOnBehalf -AuditEnabled $true

The following command logs the Hard Delete action by the Mailbox owner for Amy Albert’s mailbox:

Set-Mailbox -Identity "Amy Albert" -AuditOwner HardDelete -AuditEnabled $true

Now that we have enabled auditing, let’s see how to search audit logs for the mailboxes using the Search-MailboxAuditLog cmdlet. The following example searches the audit logs for mailboxes of John Doe, Amy Albert, and Holly Holt for the actions performed by logon types called Admin and Delegate from 1st September to 1st October 2015. A maximum of 2000 results will be displayed as specified by the Result size parameter:

Search-MailboxAuditLog -Mailboxes johnd,amya,hollyh -LogonTypes Admin,Delegate -StartDate 9/1/2015 -EndDate 10/1/2015 -ResultSize 2000

You can use pipelines and search the operation of Hard Delete in this example with the Where-Object cmdlet in Susan Burk’s mailbox from 1st September to 17th September 2015:

Search-MailboxAuditLog -Identity susanb -LogonTypes Owner -ShowDetails -StartDate 9/1/2015 -EndDate 9/17/2015 | Where-Object {$_.Operation -eq "HardDelete"}

Once you have enabled the mailbox audit logging, you can also use Exchange Admin Center by navigating to compliance management, auditing tab and Run a non-owner mailbox access report….

The following screenshot shows the search criteria that you can use to search the mailboxes accessed by non-owners:

Writing a basic script

The Recoverable Items folder has its own storage quota and has Deletions, Versions, Purges, Audits, Discovery Holds, and Calendar Logging as subfolders. This script will loop through the mailboxes and export the size of these subfolders to a CSV file.

The $Output is an empty array used later to store the output of the script. The $Mbx array stores the list of mailboxes. We then use Foreach to loop through the mailboxes in $Mbx. Note the usage of two if-else statements for the Audits and Discovery Holds section in the script, which are present to ensure that we don’t get errors if the user is not enabled for Mailbox Auditing and In-Place holds respectively.

We have created a new object to create a new instance of a PowerShell object and used the Add-Member cmdlet custom Properties to that object and store it in the $report variable for each mailbox in the list. The results are then added to the $Output array defined earlier. Finally, Export-CSV is used to export the output to the Recoverable Items subfolder called size.csv in the current working directory:

$Output = @()

Write-Host "Retrieving the List of mailboxes"
$mbx = @(Get-Mailbox -Resultsize Unlimited)

foreach ($Mailbox in $mbx)
{
    $Name = $Mailbox.Name

    Write-Host "Checking $Name Mailbox"
 
    $AuditsFoldersize = ($mailbox | Get-MailboxFolderStatistics -FolderScope RecoverableItems | Where {$_.Name -eq "Audits"}).FolderSize

    if ($AuditsFolderSize -ne $Null) {$AuditsFoldersize} else {$AuditsFoldersize = 0}

    $DiscoveryHoldsFoldersize = ($mailbox | Get-MailboxFolderStatistics -FolderScope RecoverableItems | Where {$_.Name -eq "DiscoveryHolds"}).FolderSize

    if ($DiscoveryHoldsFoldersize -ne $Null) {$DiscoveryHoldsFoldersize} else {$DiscoveryHoldsFoldersize = 0}


    $PurgesFoldersize = ($mailbox | Get-MailboxFolderStatistics -FolderScope RecoverableItems | Where {$_.Name -eq "Purges"}).FolderSize


    $VersionsFoldersize = ($mailbox | Get-MailboxFolderStatistics -FolderScope RecoverableItems | Where {$_.Name -eq "Versions"}).FolderSize

    $report = New-Object PSObject

    $report | Add-Member NoteProperty -Name "Name" -Value $Name

    $report | Add-Member NoteProperty -Name "Audits Sub Folder Size" -Value $AuditsFoldersize

    $report | Add-Member NoteProperty -Name "Deletions Sub Folder Size" -Value $DeletionsFoldersize

    $report | Add-Member NoteProperty -Name "DiscoveryHolds Sub Folder Size" -Value $DiscoveryHoldsFoldersize

    $report | Add-Member NoteProperty -Name "Purges Sub Folder Size" -Value $PurgesFoldersize

    $report | Add-Member NoteProperty -Name "Versions Sub Folder Size" -Value $VersionsFoldersize

    $Output += $report

    Write-Host "$Name, $AuditsFoldersize, $DeletionsFoldersize, $DiscoveryHoldsFoldersize, $PurgesFoldersize, $VersionsFoldersize"
}
 
Write-Host "Writing output to RecoverableItemssubfolderssize.csv"
 
$Output | Export-CSV RecoverableItemssubfolderssize.csv -NoTypeInformation

Summary

In this Article, you learned the use of various types of In-place holds and eDiscovery search. You also learned how they can help organizations meet their regulatory compliance requirements. You learned how to log admin actions and mailbox access by the Administrator audit and the mailbox logging functionality in the Exchange server 2013/2016 and Exchange online. The tools and cmdlets explained in this Article will help organizations retain content that is important for them and search and send it to appropriate parties at a later date for a review.

Resources for Article:

 

---

Further resources on this subject:

• Exchange Server 2010 Windows PowerShell: Managing Mailboxes [article]
• Exchange Server 2010 Windows PowerShell: Working with Distribution Groups [article]
• Installing Microsoft Forefront UAG [article]

---