Exchange 2010 includes the capability to ensure that deleted items are retained within the dumpster till the deleted item retention period. This prevents accidentally or maliciously deleted items from being deleted permanently, and allows an administrator to recover such items. This feature is known as Single Item Recovery and it enables organizations to change their backup paradigms (i.e., you no longer need to maintain backups for single item recovery), and to retain and allow discoverability of the data to meet compliance requirements.
A while back, I blogged about the mechanics of the Single Item Recovery features included in Exchange 2010. In this post, I discuss how you can utilize this functionality to recover accidentally or maliciously deleted items.
Essentially there are two steps:
Remember, in order to discover and recover the data, each mailbox needs to have Single Item Recovery enabled prior to the accidental purge event. Therefore, we recommend enabling Single Item Recovery for mailboxes as part of the Exchange 2010 upgrade process.
Ross sent his administrative assistant, Julie, a message regarding his upcoming trip to Seattle, specifically requesting Julie to book his itinerary. Unfortunately, before she could work on Ross’ request, Julie shift-deleted the message while cleaning out her mailbox. Like most users, Julie has done this before and is familiar with the Recover Deleted Items capability within Outlook. However, this time, Julie made the mistake of clicking the delete button for the message in question instead of clicking the recover button. Panicking, Julie calls Help Desk to request recovery of the item.
The help desk ticket results in a workflow process that is performed by an IT administrator who has necessary rights to perform searches (in this scenario, the Help Desk technician’s user account has been delegated the Discovery Management role).
Note: By default, no accounts have the ability to perform mailbox searches. You can either create a custom role group to allow an administrator to search only a subset of mailboxes, or add the administrator to the Discovery Management built-in role group (which allows them to search all mailboxes in the Exchange organization) by using the following command:
Add-RoleGroupMember "Discovery Management" -Member <user account>
The Help Desk technician has two choices for performing discovery, and the choice will depend on the target user’s client access license (CAL):
In Julie’s case, she provided the Help Desk technician with the following information:
When a mailbox with a Standard CAL will be searched, the Search-Mailbox cmdlet will be used. The Search-Mailbox cmdlet requires the following information:
Knowing this information, the Help Desk technician executes the following command from the Shell:
Search-Mailbox sec -SearchQuery "from:'boss' AND seattle" -TargetMailbox "Discovery Search Mailbox" -TargetFolder "Secretary Recovery" -LogLevel Full
Note: Search-Mailbox does not allow the target mailbox to be the same as the source mailbox. Search-Mailbox does allow you to be very specific in your search criteria. Besides scoping the search with the SearchQuery parameter using Advanced Query Syntax (AQS), in Exchange 2010 SP1 you can also use the SearchDumpsterOnly switch to search only items in the dumpster.
The Help Desk technician receives the following output:
RunspaceId : fb25cadf-a63f-4e88-8567-cb4ae1b30ade
Identity : corp.contoso.com/Users/Secretary
TargetMailbox : corp.contoso.com/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
TargetPSTFile :
Success : True
TargetFolder : \Secretary Recovery\Secretary-4/14/2010 6:28:33 AM
ResultItemsCount : 1
ResultItemsSize : 1.577 KB (1,615 bytes)
The Help Desk technician then logs into OWA and opens the Discovery Search Mailbox via the Open Other Mailbox option:
Note: The OWA and ECP screenshots are from Exchange 2010 SP1. These are preliminary screen shots from pre-Beta software that are subject to change before the final release of SP1.
The Help Desk technician navigates the folder structure within the Discovery Search Mailbox and verifies that he has recovered the item in question:
When a mailbox with an Enterprise CAL will be searched, the administrator can use the Multi-Mailbox Search feature in the Exchange Control Panel. The Help Desk technician takes the following steps:
At this point the Search phase is complete and the Recovery phase begins. There are two options for how to recover and return the item back to the user and it depends on the version of Exchange 2010 you have deployed:
The Help Desk technician executes the following command from the Shell:
Search-Mailbox "Discovery Search Mailbox" -SearchQuery "from:'boss' AND seattle" -TargetMailbox sec -TargetFolder "Recovered by HelpDesk" -LogLevel Full -DeleteContent
He receives the following output:
RunspaceId : fb25cadf-a63f-4e88-8567-cb4ae1b30ade
Identity : corp.contoso.com/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
TargetMailbox : corp.contoso.com/Users/Secretary
TargetPSTFile :
Success : True
TargetFolder : \Recovered by HelpDesk\Discovery Search Mailbox-4/14/2010 6:32:49 AM
ResultItemsCount : 1
ResultItemsSize : 1.577 KB (1,615 bytes)
It’s important to note that due to the two-step process involved with Search-Mailbox (copying the results to the Discovery Mailbox and then copying the results back to the user’s mailbox) the hierarchy is same for the end user – the root of the Discovery Search Mailbox, as well as the folder target that was used to place the item in the Discovery Search Mailbox, are both visible.
Exchange 2010 SP1 includes infrastructure that allows administrators to perform bulk import and export of PST files without requiring the installation of the Outlook client. This infrastructure, supported by the cmdlets *-MailboxImportRequest and *-MailboxExportRequest, leverages the Mailbox Replication Service and the framework that exists for moving mailboxes between databases (see Understanding Move Requests for more information).
To use this functionality, two prerequisites must be met:
The person performing the import or export must have the appropriate permissions within Exchange. By default, no RBAC role group provides this functionality. To grant the ability for a help desk administrator, compliance officer, or Exchange administrator to perform bulk import/export capabilities against all mailboxes, the following commands must be executed:
New-RoleGroup "Mailbox Import-Export Management" -Roles "Mailbox Import Export"
Add-RoleGroupMember "Mailbox Import-Export Management" -Member <user account>
The first command creates a new role group that grants access to the *-MailboxImportRequest and *-MailboxExportRequest cmdlets. The second command adds a user to the role group.
In this scenario, the Help Desk technician is a member of the Mailbox Import-Export Management role group and thus can utilize the Import and Export cmdlets. The Help Desk technician:
Runs the following command from the Shell to export the recovered data from the Discovery Search Mailbox to a PST file:
New-MailboxExportRequest -Mailbox "Discovery Search Mailbox" -FilePath "\\exchsvr\HelpDeskPst\SecretaryRecovery.pst" -ContentFilter {Subject -eq "april travel plans"} -SourceRootFolder "Secretary Recovery"
Runs the following command from the Shell to import the recovered data into Julie’s mailbox:
New-MailboxImportRequest -Mailbox sec -FilePath "\\exchsvr\HelpDeskPst\SecretaryRecovery.pst" -TargetRootFolder "Recovered By HelpDesk"
At this point, Julie logs into her mailbox and verifies she has the correct item:
Exchange 2010 provides you the means to ensure data is not deleted from the system prior to the expiration of its deleted item retention. In the event that a message is accidentally or maliciously purged from the user’s dumpster, it can be easily recovered and restored using built-in tools.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.