The steps for accomplishing this are documented in various places in Exchange documentation, but it can be difficult to refer to multiple sources if you have a mixed environment containing several versions of Exchange Server. We wanted to provide a single place with somewhat generic instructions on how to accomplish these tasks across all currently supported versions of Exchange Server - Exchange 2010, Exchange 2007, and Exchange 2003.
The versatile Export-Mailbox cmdlet can export mailbox content based on specific folder names, date and time range, attachment file names, and many other filters. A narrow search will go a long way in preventing accidental deletion of legitimate mail. For more details, syntax and parmeter descriptions, see the following topics:
The account used to export the data must be an Exchange Server Administrator, a member of the local Administrators group of the target server, and have Full Access mailbox permission assigned on the source and target mailboxes. The target mailbox you specify must already be created; the target folder you specify is created in the target mailbox when the command runs.
This example retrieves all mailboxes from an Exchange organization and assigns the Full Access mailbox permission to the MyAdmin account. You must run this before exporting or deleting messages from user mailboxes. Note, if you need to export or delete messages only from a few mailboxes, you can use the Get-Mailbox cmdlet with appropriate filters, or specify each source mailbox.
Get-Mailbox -ResultSize unlimited | Add-MailboxPermission -User MyAdmin -AccessRights FullAccess -InheritanceType all
After exporting or deleting messages from mailboxes, you can remove the Full Access mailbox permission, as shown in this example:Get-Mailbox -ResultSize unlimited | Remove-MailboxPermission -User MyAdmin -AccessRights FullAccess -InheritanceType all
This example removes all messages with the subject keyword "Friday Party" and received between Sept 7 and Sept 9 from the Inbox folder of mailboxes on Server1. The messages will be deleted from the mailboxes and copied to the folder DeleteMsgs of the MyBackupMailbox mailbox. The Administrator can now review these items or delete them from the MyBackupMailbox mailbox. The StartDate and EndDate parameters must match the date format setting on the server, whether it is mm-dd-yyyy or dd-mm-yyyy.
Get-Mailbox -Server Server1 -ResultSize Unlimited | Export-Mailbox -SubjectKeywords "Friday Party" -IncludeFolders "\Inbox" -StartDate "09/07/2010" -EndDate "09/09/2010" -DeleteContent -TargetMailbox MyBackupMailbox -TargetFolder DeleteMsgs -Confirm:$false
This example removes all messages that contain the words "Friday Party" in the body or subject from all mailboxes.
Depending on the size of your environment, it is better to do the extraction/deletion in batches by using the Get-Mailbox cmdlet with the Server or Database parameters (Get-Mailbox -Server servername -ResultSize Unlimited or Get-Mailbox -Database DB_Name -ResultSize Unlimited), or specifying a filter using the Filter parameter. You can also use the Get-DistributionGroupMember cmdlet to perform this operation on members of a distribution group.
Get-Mailbox -ResultSize Unlimited | Export-Mailbox -ContentKeywords "Friday Party" -TargetMailbox MyBackupMailbox -TargetFolder 'Friday Party' -DeleteContent
It is recommended to always use a target mailbox (by specifying the TargetMailbox and TargetFolder parameters) so you have a copy of the data. You can review messages before purging them so any legitimate mail returned by the filter can be imported back to its owner mailbox. However, it is possible to outright delete all messages without temporarily copying them to a holding mailbox.
This example deletes all messages that contain the string "Friday Party" in the message body or subject, without copying them to a target mailbox.
Get-Mailbox | Export-Mailbox -ContentKeywords "Friday Party" -DeleteContent
The ExMerge utility can be used to extract mail items from mailboxes located on legacy Exchange Server versions. Follow the steps in KB 328202 HOW TO: Remove a Virus-Infected Message from Mailboxes by Using the ExMerge.exe Tool to remove unwanted messages from user mailboxes.
The following posts have more details:
There may be times where you need to purge messages from Exchange Server's mail queues to prevent delivery of unwanted mail. For more details about mail queues, see Understanding Transport Queues.
Removing a message from the queue is a two-step process. The first thing that must be done is that the message itself must be suspended. Once the messages have been suspended then you can precede with removing them from the queue. The below commands are based on suspending and removing messages based on the Subject of the message.
Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | where{$_.Subject -eq "Friday Party" -and $_.Queue -notlike "*\Submission*"} | Suspend-Message
On Exchange 2007 RTM to SP2, you will not be able to suspend or remove message that are held in the Submission queue. So the command will not run against the messages in the submission queue.
This command removes all suspended messages from queues other than the Submission queue.
Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | where{$_.status -eq "suspended" -and $_.Queue -notlike "*\Submission*"} | Remove-Message -WithNDR $False
This command suspends messages that have the string "Friday Party" in the message subject in all queues on Hub Tranpsort servers.
Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | where {$_.Subject -eq "Friday Party"} | Suspend-Message
This command removes messages that have the string "Friday Party" in the message subject in all queues on Hub Transport servers:
Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | Where {$_.Subject -eq "Friday Party"} | Remove-Message -WithNDR $False
Note, you can run the command against an individual Hub Transport server by specifiying the server name after Get-TransportServer.
You can also suspend and remove messages from a specified queue. To retrieve a list of queues on a transport server, use the Get-Queue cmdlet.
This example suspends messages with the string "Friday Party" in the message subject in a specified queue.
Get-Message -Queue "server\queue" -ResultSize unlimited | where{$_.Subject -eq "Friday Party"} | Suspend-Message
This example removes messages with the string "Friday Party" in the message subject in the specified queue.
Get-Message -Queue "server\queue" -ResultSize unlimited | where{$_.Subject -eq "Friday Party" } | Remove-Message -WithNDR $False
In Exchange 2003/2000, you can use MFCMapi to clear the queues. For details, see KB 906557 How to use the Mfcmapi.exe utility to view and work with messages in the SMTP TempTables in Exchange 2000 Server and in Exchange Server 2003.
If there are a large number of messages in the queue, you may want to limit how many are displayed at a time. From the tool bar select Other > Options and under Throttle Level change the value to a more manageable number (for example, 1000).
On Exchange 2010 and Exchange 2007, you can use the New Transport Rule wizard from the EMC to easily create transport rules. The following examples illustrate how to accomplish this using the Shell. Note the variation in sytnax between the two versions. (The Exchange 2010 transport rule cmdlets have been simplified, allowing you to create or modify a transport rule using a one-line command.)
This example creates a transport rule to delete messages that contain the string "Friday Party" in the message subject.
New-TransportRule -Name "purge Friday Party messages" -Priority '0' -Enabled $true -SubjectContainsWords 'Friday Party' -DeleteMessage $true
This example creates a transport rule to delete messages that contain the string "Friday Party" in the message subject.
$condition = Get-TransportRulePredicate SubjectContains
$condition.Words = @("Friday Party")
$action = Get-TransportRuleAction DeleteMessage
New-TransportRule -name "purge Friday Party messages" -Conditions @($condition) -Actions @($action) -Priority 0
Note: If your Exchange Organization has mixed Exchange 2007 and Exchange 2010 you will have to create a rule for each Exchange version.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.