eDiscovery is a powerful feature available in Microsoft Exchange. It’s used by eDiscovery Managers for performing discovery searches across all mailboxes in the organization and is very important for the purpose of the Compliance and Legal issues.
By default, the Discovery Management role group is created when the first Microsoft Exchange Server is installed. As most of us know, this role group is responsible for allowing access to administrators to perform eDiscovery searches, and because it’s a Default role group, we can’t restrict the scope of the role group to specific mailboxes. Members of this role group can search all mailboxes across the organization.
So, what do you do when you get a request to restrict the eDiscovery search to a specific subset of mailboxes based on company or department? Is it even possible?
The answer to this is yes! We can utilize the power of Role Based Access Control (RBAC) to limit the search to a subset of mailboxes.
Note: The only RecipientRestrictionFilter in Microsoft Exchange Server 2013 and Exchange Online that is supported for a custom eDiscovery scope is the memberofGroup property for user mailboxes.
This blog post discusses such a scenario where the search is restricted to a specific department. For this to be supported in Microsoft Exchange 2013, we need to follow a common set of rules when creating custom scopes for eDiscovery.
John works for a company named TailSpin Toys. John has been given a new task within the company. John will be working as eDiscovery Manager within the company and will perform eDiscovery searches for a specific set of mailboxes that reside in the Accounting department. The Microsoft Exchange administrator will need to assign necessary permissions to John BUT will have to ensure John can’t perform eDiscovery searches on mailboxes in any department other than Accounting. In this scenario, we will restrict the scope of the search to a specific department named Accounting.
To implement this scenario we will walk through the following steps.
As per the scenario, the Exchange administrator creates Distribution Group named eDiscovery Accounting Users by running the following command.
New-DistributionGroup -Name "eDiscovery Accounting Users" -Alias "ediscoveryaccounting" -MemberJoinRestriction closed -MemberDepartRestriction closed -ModerationEnabled $true
The administrator then adds the required set of user mailboxes to the new group.
To list all user mailboxes that are part of the Accounting department, the Exchange administrator runs the following command.
Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'Department -eq "Accounting"'
The previous command can be used to create a variable that can be used with the Add-DistributionGroupMember cmdlet to add a group of users to a distribution group.
$members = Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'Department -eq "Accounting"'
The previous command creates a variable that contains all user mailboxes that have the value Accounting for the Department property in their user account. The following command will add the users to the Accounting distribution group.
$members | ForEach {Add-DistributionGroupMember "eDiscovery Accounting Users" -Member $_.Name}
Points to remember:
Custom scopes are needed when neither the implicit write scope nor the predefined relative scopes meet the needs of your business. Custom scopes enable you to define, at a granular level, the scope to which your management role will be applied.
For more information regarding the Custom scopes, please see Understanding management role scopes.
After the user mailboxes are added to the distribution group eDiscovery Accounting Users, the next step is to create a Custom Management Scope.
Create a custom management scope
Run the following command to save the properties of the eDiscovery Accounting Users group to a variable, which is used in the next command.
$DG = Get-DistributionGroup -Identity "eDiscovery Accounting Users"
The next step is to create a Custom scope where the RecipientRestrictionFilter is set to the distribution group created in Step1. After the Scope is created, it will be assigned to the Role Group that is created in a later step.
New-ManagementScope "Accounting Users eDiscovery Scope" -RecipientRestrictionFilter "MemberOfGroup -eq '$($DG.DistinguishedName)'"
After the Management Scope is created, you can verify the RecipientFilterby running the following command. This recipient filter will be used to define the scope of the eDiscovery search operation.
Note:
In this step, you will create a new management role group and assign it to the custom management scope named "Accounting Users eDiscovery Scope" that was created in previous step. To do this run the following command.
New-RoleGroup "Accounting Users eDiscovery Managers" -Roles "Mailbox Search","Legal Hold" -CustomRecipientWriteScope "Accounting Users eDiscovery Scope" -Members "John@tailspintoys.com"
The new role group will be created under Microsoft Exchange Security Groups container and will have the "Mailbox Search" and "Legal Hold"roles associated with it. The eDiscovery search scope will be restricted to the members of the eDiscovery Accounting Users distribution group, which is the RecipientFilter for the scope. John is added as member of the role group and will have the permissions to perform required administrative tasks.
If you want to add additional members to the role group, you can run the following command.
Add-RoleGroupMember "Accounting Users eDiscovery Managers" -Member "Jane@tailspintoys.com"
Note: It's important not to add unmonitored or unauthorized users to the Discovery Management role group as they will get access to discovery mailboxes, and they can search mailboxes across the entire organization.
To check the RoleAssignmentsassociated with the "Accounting Users eDiscovery Managers" run the following command.
Get-RoleGroup "Accounting Users eDiscovery Managers" | FL
Run the following command to view the CustomRecipientWriteScope and the RecipientReadScope associated with the role.
Get-ManagementRoleAssignment "Mailbox Search-Accounting Users eDiscovery Managers" | FL
The previous command shows the roles being assigned to the “Accounting Users eDiscovery Managers” role group and also tells us that the RoleGroupType is set to Standard and the RecipientReadScope is set to Organization, which means all mailboxes across the Organization will be only visible to all the eDiscovery Managers. The Search will fail for mailboxes searched outside the scope when accessed by users who belong to Accounting Users eDiscovery Managers who belong to specific role group and have CustomRecipientWriteScopedefined for certain subset of mailboxes.
Note: By default, all the mailboxes will be visible to eDiscovery Managers and the parameter RecipientReadScopecannot be overridden to restrict the same.
To create a discovery mailbox to store the search results of eDiscovery searches of mailboxes in the Accounting department, run the following command.
New-Mailbox –Name "Discovery mailbox-Accounting" –UserPrincipalName "eDSaccounting@tailspintoys.com" –Discovery
Note:
Add-DistributionGroupMember -Identity "eDiscovery Accounting Users" -Member "Discovery mailbox-Accounting"
The next step is to assign John the FullAccess permission to the discovery mailbox so he can open the discovery mailbox and view search results.
Add-MailboxPermission –Identity "Discovery mailbox-Accounting" –User "Tailspintoys\John" –AccessRights "FullAccess"
After the permissions have replicated, John can access the discovery mailbox.
Points to remember
For more information check below:
At this point, John performs a discovery search, choosing some of the mailboxes from Accounting and an appropriate date range and is able to get expected results. For more information on how to do a discovery search, please go here
Create an In-Place eDiscovery search
If John tries to perform a search on mailboxes outside the custom scope, the search will return the error shown below. This happens because the RecipientRestrictionFilter applied to the scope and in turn applied to the role group will check the MemberOfGroup property. When it finds the MemberOfGroupvalue of the user mailbox doesn’t match distinguished name of the eDiscovery Accounting Users distribution group, it confirms the user mailbox isn’t within the custom scope.
Even though you grant Mailbox Search role explicitly to the Role Group you won’t be able to search mailboxes outside the scope
By default the Administrator audit logging is enabled in the new installations of Microsoft Exchange 2013 and will capture the all the Cmdlets run directly in the Exchange Management Shell are audited. In addition, operations performed using the EAC are also logged because those operations run Cmdlets in the background. This will also include the eDiscovery Cmdlets run in the environment. The administrator needs to be member of Discovery Management Group in order to have access to MailboxSearchCmdlets.
The Organization Managementrole group doesn't, by default, enable the discovery search feature for users or universal security groups (USGs) that are members of that role group. Members of the Organization Management role group must either be made members of this role group, or the Mailbox Search role listed later in this topic must be manually assigned to the Organization Management role group.
The audit log reports can be exported by the administrator using the EAC to track changes in your organization. Also, the administrator can run the In-Place eDiscovery & Hold report for specific date to check for the searches performed on that specific day. It will provide report for any modifications done to the search.
The administrator audit log will keep track of Cmdlets run in the environment and this way, any unauthorized access can be tracked down.
For more information check below links:
The scenario discussed in this blog post is always an available option for restricting eDiscovery searches based on department or company. The only requirement is to use a distribution group for the subset of mailboxes on for you want to restrict eDiscovery. The only property on a user mailbox that you can use to create a recipient filter for a custom scope is distribution group membership (the actual property name is MemberOfGroup). If you use other properties, such as CustomAttribute, Department, or PostalCode, the search method will be considered unsupported.
Reference: Create a custom management scope for In-Place eDiscovery searches
So if you want to do a search for mailboxes across departments or separate companies you will have to manually add the users to the distribution group or use PowerShell to add users in bulk to a specific distribution group based on department or company.
Note:
In the above blog I have tried to discuss and walk you through the options related to the restricting the eDiscovery to discovery managers as per the business needs using Role Bases Access Control
I would like to thank Mark Johnson, Bharat Suneja, Nino Bilic, Jennifer Gagnon & Quentin Christensen for their help in validating the method described in the blog post!
Special Thanks to Ben Winzenz, Chris Pollitt, Matthew Byrd, Charlotte Raymundo for their contributions while this blog post was being written.
Siddhesh Dalvi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.