Item Recovery in Exchange 2010
Published Apr 26 2010 04:00 PM 110K Views

Exchange 2010 includes the capability to ensure that deleted items are retained within the dumpster till the deleted item retention period. This prevents accidentally or maliciously deleted items from being deleted permanently, and allows an administrator to recover such items. This feature is known as Single Item Recovery and it enables organizations to change their backup paradigms (i.e., you no longer need to maintain backups for single item recovery), and to retain and allow discoverability of the data to meet compliance requirements.

A while back, I blogged about the mechanics of the Single Item Recovery features included in Exchange 2010. In this post, I discuss how you can utilize this functionality to recover accidentally or maliciously deleted items.

Essentially there are two steps:

  1. Search – Determining the location of the missing items.
  2. Recovery – Retrieving the missing items.

Remember, in order to discover and recover the data, each mailbox needs to have Single Item Recovery enabled prior to the accidental purge event. Therefore, we recommend enabling Single Item Recovery for mailboxes as part of the Exchange 2010 upgrade process.

The Scenario

Ross sent his administrative assistant, Julie, a message regarding his upcoming trip to Seattle, specifically requesting Julie to book his itinerary. Unfortunately, before she could work on Ross’ request, Julie shift-deleted the message while cleaning out her mailbox. Like most users, Julie has done this before and is familiar with the Recover Deleted Items capability within Outlook. However, this time, Julie made the mistake of clicking the delete button for the message in question instead of clicking the recover button. Panicking, Julie calls Help Desk to request recovery of the item.

Step 1: Search

The help desk ticket results in a workflow process that is performed by an IT administrator who has necessary rights to perform searches (in this scenario, the Help Desk technician’s user account has been delegated the Discovery Management role).

Note: By default, no accounts have the ability to perform mailbox searches. You can either create a custom role group to allow an administrator to search only a subset of mailboxes, or add the administrator to the Discovery Management built-in role group (which allows them to search all mailboxes in the Exchange organization) by using the following command:
Add-RoleGroupMember "Discovery Management" -Member <user account>

The Help Desk technician has two choices for performing discovery, and the choice will depend on the target user’s client access license (CAL):

  1. If the users included in the search have Standard CALs, the Help Desk technician can only use the Search-Mailbox cmdlet.
  2. If the users included in the search have Enterprise CALs, the Help Desk technician can also use the New-MailboxSearch cmdlet, or the Multi-Mailbox Search feature in the Exchange Control Panel (ECP).

In Julie’s case, she provided the Help Desk technician with the following information:

  • The message was sent from her boss.
  • The message contains the word “Seattle”.

Searching messages by using Search-Mailbox

When a mailbox with a Standard CAL will be searched, the Search-Mailbox cmdlet will be used. The Search-Mailbox cmdlet requires the following information:

  • The mailbox to be searched
  • The search query criteria
  • The mailbox and folder where the results will be placed
  1. Knowing this information, the Help Desk technician executes the following command from the Shell:

    Search-Mailbox sec -SearchQuery "from:'boss' AND seattle" -TargetMailbox "Discovery Search Mailbox" -TargetFolder "Secretary Recovery" -LogLevel Full

    Note: Search-Mailbox does not allow the target mailbox to be the same as the source mailbox. Search-Mailbox does allow you to be very specific in your search criteria. Besides scoping the search with the SearchQuery parameter using Advanced Query Syntax (AQS), in Exchange 2010 SP1 you can also use the SearchDumpsterOnly switch to search only items in the dumpster.

    The Help Desk technician receives the following output:

    RunspaceId : fb25cadf-a63f-4e88-8567-cb4ae1b30ade
    Identity : corp.contoso.com/Users/Secretary
    TargetMailbox : corp.contoso.com/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
    TargetPSTFile :
    Success : True
    TargetFolder : \Secretary Recovery\Secretary-4/14/2010 6:28:33 AM
    ResultItemsCount : 1
    ResultItemsSize : 1.577 KB (1,615 bytes)

  2. The Help Desk technician then logs into OWA and opens the Discovery Search Mailbox via the Open Other Mailbox option:

    Note: The OWA and ECP screenshots are from Exchange 2010 SP1. These are preliminary screen shots from pre-Beta software that are subject to change before the final release of SP1.

  3. The Help Desk technician navigates the folder structure within the Discovery Search Mailbox and verifies that he has recovered the item in question:

Searching messages by using Multi-Mailbox Search

When a mailbox with an Enterprise CAL will be searched, the administrator can use the Multi-Mailbox Search feature in the Exchange Control Panel. The Help Desk technician takes the following steps:

  1. He launches the Exchange Control Panel via https://mail.contoso.com/ecp and logs on using his credentials.
  2. From the Options drop-down, he selects Manage My Organization.
  3. He clicks on Service Level and selects the Mailbox Searches applet.
  4. He clicks New to create a new search request which requires at least the following information:
    1. The search query criteria
    2. The mailbox to be searched
    3. The mailbox and folder where the results will be placed
  5. When the results are obtained, he can either click on the [Open] link in the Mailbox Searches Results pane, or open the Discovery Search Mailbox via the Open Other Mailbox option from within OWA.
  6. He navigates the folder structure within the Discovery Search Mailbox and verifies that he has recovered the item in question:

Step 2: Recovery

At this point the Search phase is complete and the Recovery phase begins. There are two options for how to recover and return the item back to the user and it depends on the version of Exchange 2010 you have deployed:

  1. If you are running Exchange 2010 RTM or later, you can utilize the Search-Mailbox cmdlet to restore the item back to the user.
  2. If you are running Exchange 2010 SP1, you can utilize the PST import and export cmdlets to restore the item back to the user.

Search-Mailbox Recovery Process

  1. The Help Desk technician executes the following command from the Shell:

    Search-Mailbox "Discovery Search Mailbox" -SearchQuery "from:'boss' AND seattle" -TargetMailbox sec -TargetFolder "Recovered by HelpDesk" -LogLevel Full -DeleteContent

    He receives the following output:

    RunspaceId : fb25cadf-a63f-4e88-8567-cb4ae1b30ade
    Identity : corp.contoso.com/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
    TargetMailbox : corp.contoso.com/Users/Secretary
    TargetPSTFile :
    Success : True
    TargetFolder : \Recovered by HelpDesk\Discovery Search Mailbox-4/14/2010 6:32:49 AM
    ResultItemsCount : 1
    ResultItemsSize : 1.577 KB (1,615 bytes)

  2. He notifies Julie that the item is recovered. Julie logs into her mailbox and verifies she has the correct item:

It’s important to note that due to the two-step process involved with Search-Mailbox (copying the results to the Discovery Mailbox and then copying the results back to the user’s mailbox) the hierarchy is same for the end user – the root of the Discovery Search Mailbox, as well as the folder target that was used to place the item in the Discovery Search Mailbox, are both visible.

PST Export/Import Recovery Process

Exchange 2010 SP1 includes infrastructure that allows administrators to perform bulk import and export of PST files without requiring the installation of the Outlook client. This infrastructure, supported by the cmdlets *-MailboxImportRequest and *-MailboxExportRequest, leverages the Mailbox Replication Service and the framework that exists for moving mailboxes between databases (see Understanding Move Requests for more information).

To use this functionality, two prerequisites must be met:

  1. The person performing the import or export must have the appropriate permissions within Exchange. By default, no RBAC role group provides this functionality. To grant the ability for a help desk administrator, compliance officer, or Exchange administrator to perform bulk import/export capabilities against all mailboxes, the following commands must be executed:

    New-RoleGroup "Mailbox Import-Export Management" -Roles "Mailbox Import Export"
    Add-RoleGroupMember "Mailbox Import-Export Management" -Member <user account>

    The first command creates a new role group that grants access to the *-MailboxImportRequest and *-MailboxExportRequest cmdlets. The second command adds a user to the role group.

  2. The Exchange Trusted Subsystem security group must have Full Control/Owner permissions on the file share that will be used to temporarily store the PST files.

In this scenario, the Help Desk technician is a member of the Mailbox Import-Export Management role group and thus can utilize the Import and Export cmdlets. The Help Desk technician:

  1. Runs the following command from the Shell to export the recovered data from the Discovery Search Mailbox to a PST file:

    New-MailboxExportRequest -Mailbox "Discovery Search Mailbox" -FilePath "\\exchsvr\HelpDeskPst\SecretaryRecovery.pst" -ContentFilter {Subject -eq "april travel plans"} -SourceRootFolder "Secretary Recovery"

  2. Runs the following command from the Shell to import the recovered data into Julie’s mailbox:

    New-MailboxImportRequest -Mailbox sec -FilePath "\\exchsvr\HelpDeskPst\SecretaryRecovery.pst" -TargetRootFolder "Recovered By HelpDesk"

  3. Notifies Julie that the item is recovered.

At this point, Julie logs into her mailbox and verifies she has the correct item:

Conclusion

Exchange 2010 provides you the means to ensure data is not deleted from the system prior to the expiration of its deleted item retention. In the event that a message is accidentally or maliciously purged from the user’s dumpster, it can be easily recovered and restored using built-in tools.

-- Ross Smith IV

15 Comments
Not applicable
Or maybe Julie can call her boss and ask them to resend the original e-mail?
Not applicable
Perhaps a better example would be an email from an external partner - she'd rather look like an id10T to IT than to the partner... :)
Not applicable
Great article!
You can check that one too: http://www.simple-talk.com/sysadmin/exchange/single-item-recovery/
Not applicable
Great article, although a lot of times my users give me such generic search terms (in the year 2008, from Matt) that this would take forever following this procedure.
Is there any way I can view all items in the dumpster then use instant search?

Thanks
-Drew
Not applicable

@Drew: The Recoverable Items folder (aka "dumpster") is a hidden folder - you can't view it using Outlook. You can use MAPI tools such as MFCMapi to view items in it, but you can't get Instant Search (an Outlook feature) with such tools.



Workaround: You can use the

Search-Mailbox cmdlet with the

SearchDumpsterOnly switch (new in SP1), and

if you don't specify any search terms, all items from the dumpster are copied to the target mailbox. You can narrow it down by a date range, sender, etc. You can then use Outlook/OWA to access the target mailbox

and use Instant Search to refine your search further, if required.

Not applicable
All of these things should be in the GUI - resorting to a command line tool means the product isn't finished yet - a continual state for Exchange now it seems. Put this stuff in the GUI otherwise you will lose marketshare. This is what I hate MOST about Exchange (GUI not finished) and it is causing me to look elsewhere.
Not applicable
What ever happened to exmerge? You could do full store searches, export or copy to pst. No enterprise cals needed. Also I'm more concerned with quickly removing messages. Like when someone replies to all with confidential info. Emerge was perfect for that.
Not applicable
Ha, I'd rather stick with my backup tapes then spending hours just to search the user's message. Instead of making things easier, 2010 make it harder...
Not applicable
I don't see "Service Level" in my ECP after selecting Manage My Organization (Multi Mailbox Search, Step 3). AFAIK, there doesn't appear to be a prequisite to having that appear.
I like having the feature in the Web-based GUI (if I could get to it) as I always have somebody who accidentally deletes a bunch of stuff and recovering via DPM 2007 is painful. I welcome this feature!
Not applicable
How much of what is in this article is only available in SP1 of Exchange 2010? Is the Service Level link BillH refers to only in the SP1 version of the ECP?
Not applicable
To answer BillH's question:
After you select My Organization in the GUI, you select Reporting, not Service Level as stated in the article.
Not applicable
I have installed SP1 beta and can't find the
New-MailboxExportRequest

Not applicable

@Kristof: You need to have the

Mailbox Import Export role, which isn't assigned to any role group by default. You can add the role to an existing or new role group.

For details, see Where are my Mailbox Import Export / Support Diagnostics cmdlets?.

Not applicable
Hi there I am trying to export pst file but getting error of and says I need 32 bit machine and outlook. What can I do to set up this process. Do I need to set up remote powershell session?
thanks i am new to this
Not applicable
I have been giving this "backupless" option for Exchange 2010 some serious thoughts and have been carefully running through all possible scenario's where user's are reporting "lost or disappeared" mails.
Considering that database copies are my safety net for server or database disasters, and lagged database copies can only go as far as 14 days, can I really respond to all my user requests for mail recovery if I don't have a good-old Exchange backup? In other words, can single item recovery be my salvation?
I'm having difficulties understanding what is really ment with "item". Are we talking "folders" in the same way? Or should we only consider the legal aspects and do away with anything that has no legal value such as a folder structure and how people have organized their content ?
Consider the following scenario's:
1. a user reports that he or she has accidentally deleted an entire folder (some of them really organize their mails in hundreds of folders and subfolders), and this folder is nowhere to be found in the deleted items folder nor in the recover deleted items. At most they can provide a couple of key words to search for, but that would only cover a fraction of all the mails that were in there.
2. Using Outlook 2010 and Exchange 2010 (no SP1, no rollup yet), I created a root+subfolder and put 1 mail item in the subfolder. I then deleted the root folder. Looking at the deleted items folder I can perfectly see and thus recover my entire structure along with the mails. However, as soon as these folders are deleted from the deleted items, they can no longer be found in the recover deleted items, only the mail item can. You can restore the mail item, but there's no way you can restore the entire folder structure the same way you can when recovering from the deleted items folder. You can try the mailbox discovery option in ECP, but you cannot search for "the entire folder structure and all emails in it".
3. Another one: what if a user has accidentally "moved" an entire folder structure, but is unable to find it ? These things do happen in real life, I agree not every day, but when it does, how do you respond to that if you can't do a point-in-time restore of the user's mailbox ?
Version history
Last update:
‎Jul 01 2019 03:51 PM
Updated by: