Blog Post

Exchange Team Blog
3 MIN READ

Running Discovery periodically on Exchange 2010 SP1

The_Exchange_Team's avatar
Nov 30, 2010

 

SearchMailboxes.ps1 is a script to run a discovery search (using Exchange 2010's Multi-Mailbox Search) periodically on a set of mailboxes. The script works only with Microsoft Exchange 2010 SP1. Please note, Multi-mailbox Search is an Enterprise CAL feature.

Who needs it: A compliance officer who runs discovery searches periodically to look for messages containing specific keywords. It makes life easier by automating the process of running a discovery search at fixed intervals using a scheduled task. Once the script is deployed the compliance officer can log on to the Exchange Control Panel (ECP) and select the particular date for which he/she wants to get search results.

Here is the snapshot of the ECP after running the script weekly:

How the script works: This script runs a discovery search on the specified mailboxes over a period of time. To learn more about discovery, see Understanding Multi-Mailbox Search.

For the first time the search is run, you can specify the start date in the search.config file. The current date is automatically used as the end date. For subsequent searches, the start date is automatically obtained from the previous search. If the previous search is successful, its end date is used as the start date for the new search. If the previous search failed, the start date specified in that search is used as the start date for the new search. This ensures that you don't miss any messages due to a failed search. You can set the frequency at which the script is run by using the Task Scheduler.

Before running the script, make sure that the user account you use to run it is added to the Discovery Management RBAC role group. See Add a User to the Discovery Management Role Group for instructions on how to do this.

The package contains the following files:

  1. Setup.bat: This creates a scheduled task using the Schtasks command. It's configured to run once a week (on Monday). You can edit the file to configure the frequency at which you want to run the script. You can also modify the scheduled task using the Task Scheduler - see Schedule a Task for more info.
  2. DailyMailboxSearch.bat: This is the batch file that the schedule task runs. Edit it to specify the path to exshell.psc1 (the default path is \Program Files\Microsoft\Exchange Server\V14\Bin\). To run a Shell (EMS) script on a schedule using the Windows Task Scheduler, you must call the Shell and include the script that you want to run as a parameter. For more details, see Scripting with the Exchange Management Shell.

    Add the mailboxes to search

    powershell -PSConsoleFile "d:\Program Files\Microsoft\Exchange Server\V14\Bin\exshell.psc1" -command ".\SearchMailboxes.ps1 "

    • # Name of the mailboxes accepts all the types of mailbox names that can be specified to get-mailbox cmdlet
    • # ex: SearchMailboxes.ps1 user1
    • # ex: SearchMailboxes.ps1 user*
    • # ex: SearchMailboxes.ps1 *user*
  3. Search.Config: Open Search.Config and edit the value of Discovery mailbox. This command gets the Discovery mailbox:

    Get-Mailbox -Identity Discovery*

    Edit the start date to go back number of days to get the first search results.
    Edit the keywords and separate them with the conjunction 'OR'
    This is a mandatory file and it needs to be present in the same location as SearchMailboxes.ps1.

  4. LastSearch.txt: This file is generated when the SearchMailboxes.ps1 script is run for the first time. It stores the information about the last time the search was run. If this file isn't present, the SearchMailboxes.ps1 script will pick the start date of the search from the Search.config file.
  5. SearchMailboxes.ps1: This is the script that consumes search.config and lastSearch.txt to generate the search results. It's not required to modify this script because all configurable parameters are contained in the other files in this list.

Download the script: You can download this script and all of the associated files as attachments to this blog post.

EDIT 11/30/2010: Added a note that the multi-mailbox search is an Enterprise CAL feature.

Kunal Nikam 

Updated Apr 29, 2020
Version 2.0
  • Finally a tool for admins to search for terrorists among the colleagues. Who knows, they are all around us!
  • @Mats
    Discovery Management such a revolutionary tool for searching notorious activity on internet huh??? Cool!!!
  • While it may help you search for terrorists, Mats, it does actually add benefit to those of us working at real-life companies with actual security requirements.
  • Is it just trhe compliance officer that needs the Enterprise Cal or does the orginisation need an ent cal for every user whose mail box is searched?
  • @Will: All mailboxes searched using Multi-Mailbox Search (from the Discovery console in ECP or using the

    New-MailboxSearch cmdlet) require an Enterprise CAL. Note, you can also search mailboxes synchronously, one at a time, using the

    Search-Mailbox cmdlet, which doesn't require an Enterprise CAL.

  • I know licensing questions are tricky but what if we are searching 100 mailboxes max at a time, and not using any other Enterprise features. Does that mean we only need 100 Enterprise CALs? Then search 100 different mailboxes in a subsequent session, basically sliding those CALs across mailboxes. Not expecting an official answer here (I know the best one is 'call Microsoft Licensing' or 'consult with your own lawyer for an opinion'), but just wishing there was somewhere with approved examples of scenarios like this.
  • @Frank T: What you essentially discussing is gaming the licensing strategy - of which Microsoft will not support.  
  • Add one more item to the Exchange 2010 Enterprise CAL confusion list.  now we have to guess how many mailboxes a compliancy officer might include in their search since Microsoft is now in the busness of licensing behavior not features.
  • I have a question on 'Message ID' field in the CSV file generated by EMS shell command 'New-MailboxSearch'  with -LogLevel Full. I did not see details documented anywhere. If this is not the best place to ask this question, please point me to the right place.

    Questions on column 'Message ID'
    1) Its format appears to be Base64 encoding. Is it right?
    2) What MAPI property 'Message ID' map to?
    Is it the PR_ENTRYID of the original message or the PR_INTERNET_MESSAGE_ID  or something else? I could not correlate 'MessageID' to any MAPI message property.

    Thank you very much.