Forum Discussion
Solved
New-ComplianceSearch list of mailboxes
Hey Guys,
Hoping to get some assistance here. So this is the situation, one of our Managers sent an email to an list of 200 users. This was sent via single distro group.
I ran the following command:
New-ComplianceSearch -Name <Name of Search> -ExchangeLocation distrogroup@domain.com -ContentMatchQuery "(From:user.domain@fqdn.com) AND (Subject:FW: Subject Name Here) AND (Recipients: distrogroupname@fqdn.com) AND (Received:06/05/2019)"
The above worked as expected, however only 98 members were identified as having received the email. I was able to delete the messages using new-compliancesearchaction however the total number of deletes should have been 185-200.
So then to confirm my findings i ran this command:
$groups| %{Get-MessageTrace -RecipientAddress $_.PrimarySMTPAddress -StartDate "06/05/2019" -EndDate "06/06/2019" -SenderAddress user.domain@fqdn.com}
Then i was able to export that to a excel spreadsheet and sure enough i see 197-200 messages that were sent to those members of the distro group.
in the above command $Groups = Get-DistributionGroupMember -Identity recip.group@domain.com
So as you can see, 198 members received the emails, but only 98 members had them deleted when using new-compliancesearchaction.
My question is this: How can i use new compliance search, against a list of mailboxes? like the one in my groups variable?
Thanks,
Robert
As you are already restricting the search by subject and sender, there's no point of adding the DG to the search query. But in theory, should be the same for your scenario, I'm not really sure why it's skipping some of the members. Are they all regular user mailboxes? Do you have nested groups and other object types added as members of the DG?
TonyRedmond might be aware of some gotcha...
As you are already restricting the search by subject and sender, there's no point of adding the DG to the search query. But in theory, should be the same for your scenario, I'm not really sure why it's skipping some of the members. Are they all regular user mailboxes? Do you have nested groups and other object types added as members of the DG?
TonyRedmond might be aware of some gotcha...
VasilMichev It turns out that actually it was removing more messages, about 150 messages (total) from my list of mailboxes. I know this because our ProofPoint Trap system was able to go in and remove the remaining messages.
I also only set the cmdlet to do a softdelete. TonyRedmond I was under the impression that the 10 message limit was per mailbox per run.
So for instance if i wanted to move 1 message from a 100 mailboxes new compliance search would do that on one pass, but if i wanted to remove 11 messages from 100 mailboxes that would take 2 passes?
Is that incorrect?
Thanks,
Robert
Robert Bollinger Right, as confirmed by https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-content-search/new-compliancesearchaction?view=exchange-ps, it is 10 items per mailbox per run.
To quote: "A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove messages is intended to be an incident-response tool, this limit helps ensure that messages are quickly removed from mailboxes. This action isn't intended to clean up user mailboxes."
VasilMichev The only gotcha I can think of is that a compliance search action can only remove 10 messages at a time, so you'd have to run the search and the action multiple times to find and remove all the messages.
I would use the Search-Mailbox cmdlet for something like this. It will process all the mailboxes and remove all the offending messages at one time.
