Recovering from a retention policy change. Help

%3CLINGO-SUB%20id%3D%22lingo-sub-84235%22%20slang%3D%22en-US%22%3ERecovering%20from%20a%20retention%20policy%20change.%20Help%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84235%22%20slang%3D%22en-US%22%3EA%20retention%20policy%20change%20created%20some%20undesired%20results%20in%20our%20organization.%20Long%20story%20short%2C%20anything%20older%20than%2030%20days%20was%20deleted%20across%20the%20entire%20mailbox%20across%20most%20of%20the%20organization.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20now%20tasked%20with%20attempting%20recovery.%3CBR%20%2F%3E%3CBR%20%2F%3EDoes%20anyone%20here%20have%20experience%20they%20can%20share%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20thinking%20that%20I%20could%20probably%20use%20Search-Mailbox%20to%20do%20some%20recovery.%20I%20also%20saw%20a%20blog%20post%20with%20a%20power%20shell%20script%20that%20interacts%20directly%20with%20EWS%20that%20I%20plan%20on%20kicking%20the%20tires%20on.%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20help%20or%20direction%20would%20be%20greatly%20appreciated%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3CBR%20%2F%3ESb%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-84235%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-84535%22%20slang%3D%22en-US%22%3ERe%3A%20Recovering%20from%20a%20retention%20policy%20change.%20Help%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84535%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20they%20recently%20introduced%20a%20feature%20to%20recover%20deleted%20messages%20to%20their%20original%20folder%20(%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2017%2F06%2F13%2Fannouncing-original-folder-item-recovery%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2017%2F06%2F13%2Fannouncing-original-folder-item-recovery%2F%3C%2FA%3E)%2C%20however%20this%20does%20not%20work%20with%20EWS%2C%20afaik.%20You%20will%20have%20to%20manually%20check%20for%20the%20parent%20folder%20property%20and%20adjust%20the%20script%20to%20perform%20the%20move%2Frestore%20operation%20accordingly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-84504%22%20slang%3D%22en-US%22%3ERe%3A%20Recovering%20from%20a%20retention%20policy%20change.%20Help%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84504%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20this%20bit.%20%26nbsp%3BI%20made%20significant%20progress%20with%20the%20EWS%20script.%20%26nbsp%3BI%20am%26nbsp%3Bable%20to%20connect%2C%20find%20the%20items%2C%20and%20for%20the%20most%20part%2C%20recover%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20one%20sticking%20point%20is%20-%20ideally%2C%20I%20would%20like%20to%20recover%20them%20to%20the%20folder%20that%20they%20were%20deleted%20from%20-%20including%20user%20created%20folders%20within%20the%20mailbox.%20%26nbsp%3BI%20see%20the%20parentfolderid%20on%20the%20message%20-%20but%20it%20is%20some%20long%20crazy%20GUID%20or%20other%20unique%20identifier.%20%26nbsp%3BI%20haven't%20yet%20been%20able%20to%20tie%20that%20to%20a%20folder%20in%20the%20mailbox%20--%20%26nbsp%3Bam%20I%20headed%20in%20the%20right%20direction%3F%20%26nbsp%3BShould%20that%20parentfolderid%20refer%20to%20the%20folder%20in%20which%20the%20message%20was%20deleted%20from%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again!%3C%2FP%3E%3CP%3Esteve%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-84252%22%20slang%3D%22en-US%22%3ERe%3A%20Recovering%20from%20a%20retention%20policy%20change.%20Help%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84252%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20EWS%20based%20script%20is%20your%20best%20option%20here%2C%20as%20Search-Mailbox%2FeDiscovery%20cannot%20restore%20the%20deleted%20files%20directly%20in%20their%20original%20folders.%20You%20can%20of%20course%20also%20instruct%20the%20users%20to%20manually%20recover%20the%20items%2C%20depending%20on%20the%20type%20of%20tag%20you've%20configured%20that%20is.%3C%2FP%3E%3CP%3ETo%20avoid%20any%20data%20loss%2C%20make%20sure%20to%20increase%20the%20Single-item%20recovery%20window%20to%20the%20maximum%20of%2030%20days%20and%20if%20you%20have%20the%20necessary%20licenses%2C%20put%20the%20mailboxes%20temporary%20on%20hold.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-84239%22%20slang%3D%22en-US%22%3ERe%3A%20Recovering%20from%20a%20retention%20policy%20change.%20Help%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84239%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Stephen%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20about%20the%20issue%20that%20you%20have%20in%20hand%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20you%20can%20use%20search%2C%20but%20I%20suggest%20that%20you%20open%20a%20Ticket%20in%20Office%20365%20to%20better%20Microsoft%20understand%20the%20problem%20and%20to%20fit%20the%20best%20solution%20to%20recover%20the%20information.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor
A retention policy change created some undesired results in our organization. Long story short, anything older than 30 days was deleted across the entire mailbox across most of the organization.

I am now tasked with attempting recovery.

Does anyone here have experience they can share?

I am thinking that I could probably use Search-Mailbox to do some recovery. I also saw a blog post with a power shell script that interacts directly with EWS that I plan on kicking the tires on.

Any help or direction would be greatly appreciated

Thanks
Sb
4 Replies
Highlighted

Hi Stephen,

 

Sorry about the issue that you have in hand now.

 

Yes you can use search, but I suggest that you open a Ticket in Office 365 to better Microsoft understand the problem and to fit the best solution to recover the information.

Highlighted

That EWS based script is your best option here, as Search-Mailbox/eDiscovery cannot restore the deleted files directly in their original folders. You can of course also instruct the users to manually recover the items, depending on the type of tag you've configured that is.

To avoid any data loss, make sure to increase the Single-item recovery window to the maximum of 30 days and if you have the necessary licenses, put the mailboxes temporary on hold.

Highlighted

Thanks for this bit.  I made significant progress with the EWS script.  I am able to connect, find the items, and for the most part, recover them.

 

The one sticking point is - ideally, I would like to recover them to the folder that they were deleted from - including user created folders within the mailbox.  I see the parentfolderid on the message - but it is some long crazy GUID or other unique identifier.  I haven't yet been able to tie that to a folder in the mailbox --  am I headed in the right direction?  Should that parentfolderid refer to the folder in which the message was deleted from?

 

Thanks again!

steve

Highlighted

Well, they recently introduced a feature to recover deleted messages to their original folder (https://blogs.technet.microsoft.com/exchange/2017/06/13/announcing-original-folder-item-recovery/), however this does not work with EWS, afaik. You will have to manually check for the parent folder property and adjust the script to perform the move/restore operation accordingly.