Share via


Understanding Multi-Mailbox Search

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

If your organization adheres to legal discovery requirements (related to organizational policy, compliance, or lawsuits), Microsoft Exchange Server 2010 Multi-Mailbox Search can help you perform discovery searches for relevant content within Exchange mailboxes.

Multi-Mailbox Search uses the content indexes created by Exchange Search. The Exchange Control Panel (ECP) provides an easy-to-use search interface for non-technical personnel such as legal and compliance officers, records managers, and human resources (HR) professionals. Role Based Access Control (RBAC) provides the Discovery Management management role group to delegate discovery tasks to non-technical personnel, without the need to provide elevated privileges that may allow a user to make any operational changes to Exchange configuration.

Contents

Uses for Multi-Mailbox Search

Exchange Search and Advanced Query Syntax

Discovery Management Role Group and Management Roles

Discovery Mailboxes

Performing a Discovery Search

Viewing Search Results

Logging of Discovery Searches

Litigation Hold and Discovery

Looking for management tasks related to Multi-Mailbox Search? See Managing Discovery.

The following are common uses of Multi-Mailbox Search:

  • Legal discovery Complying with legal discovery requests for messaging records is one of the most important tasks for organizations involved in lawsuits. Without a dedicated tool, searching messaging records within several mailboxes that may reside in different mailbox databases can be a time-consuming and resource-intensive task. Using Multi-Mailbox Search, you can search a large volume of e-mail messages stored in mailboxes across one or more Exchange 2010 servers, and possibly in different locations.

  • Internal investigations   Multi-Mailbox Search can help you facilitate requests from managers or legal departments as part of internal investigations.

  • Human Resources monitoring   Multi-Mailbox Search can help you facilitate HR requests, such as standard e-mail monitoring requirements or a specific search.

Return to top

Exchange Search and Advanced Query Syntax

Multi-Mailbox Search uses the content indexes created by Exchange Search. To provide the extensive search functionality required by Multi-Mailbox Search, new capabilities have been added to Exchange Search. With a single content indexing engine, no additional resources are used to crawl and index mailbox databases for Multi-Mailbox Search when discovery requests are received by IT departments.

To learn more about Exchange Search, see Understanding Exchange Search.

Multi-Mailbox Search also uses Advanced Query Syntax (AQS), the familiar query syntax used by Windows Search and Instant Search in Microsoft Office Outlook 2007 and Outlook 2010. Users proficient with AQS can easily construct powerful search queries to search content indexes.

For more information about AQS, see Using Advanced Query Syntax Programmatically.

Return to top

Discovery Management Role Group and Management Roles

For users to perform discovery searches, you must add them to the Discovery Management RBAC role group. This role group consists of two management roles: the Mailbox Search role, which allows a user to perform a discovery search, and the Legal Hold role, which allows a user to place a mailbox on litigation hold. To learn more about the Discovery Management RBAC role group, see Discovery Management. To learn more about RBAC, see Understanding Role Based Access Control.

By default, the Discovery Management role group doesn't have any members. The permissions to perform discovery-related tasks aren't assigned to any user. Also, by default, Exchange administrators don't have the permissions to perform a discovery search. Exchange administrators who are members of the Organization Management management role group can add users to the Discovery Management role group and create custom role groups to narrow the scope of a discovery manager to a subset of users. Auditing of RBAC role changes makes sure that adequate records are kept to track assignment of the Discovery Management role group. For details, see Overview of Administrator Audit Logging.

Important

If a user hasn't been added to the Discovery Management role group or isn't assigned the Mailbox Search role, the Multi-Mailbox Search user interface isn't displayed to the user in the ECP, and the Multi-Mailbox Search cmdlets aren't available in the Exchange Management Shell.

For more information about adding users to the Discovery Management role group, see Add a User to the Discovery Management Role Group.

Warning

Multi-Mailbox Search is a powerful feature that allows a user with the appropriate permissions to potentially have access to all messaging records stored throughout the Exchange 2010 organization. It's important to control and monitor discovery activities, including addition of members to the Discovery Management role group or any other role group with the Mailbox Search management role, assignment of the Mailbox Search management role, and assignment of mailbox access permission to discovery mailboxes.

Return to top

Discovery Mailboxes

When performing a discovery search, you must specify a target mailbox in which to store the search results. A discovery mailbox is a special type of Exchange 2010 mailbox that provides the following functionality:

  • Easier and secure target mailbox selection   When you use the ECP to create a discovery search, only discovery mailboxes are made available as a repository in which to store search results. You don't need to sort through a potentially long list of mailboxes available in the organization. This also eliminates the possibility of a discovery manager accidentally selecting another user's mailbox or an unsecured mailbox in which to store potentially sensitive message content.

  • Large mailbox storage quota   The target mailbox should be able to store a large amount of message data that may be returned by a discovery search. By default, discovery mailboxes have a mailbox storage quota of 50 gigabytes (GB). Although you can increase this quota, Discovery mailboxes larger than 50 GB are not supported.

    Note

    In Exchange 2010 Service Pack 1 (SP1), a discovery manager can get an estimate of search results to determine the total number and size of items returned by a discovery search.

  • Secure by default   Like all mailbox types, a discovery mailbox has an associated Active Directory user account. However, this account is disabled by default. Only users explicitly authorized to access a discovery mailbox have access to it. Members of the Discovery Management role group are assigned Full Access permissions to the default discovery mailbox. Any additional discovery mailboxes you create don't have mailbox access permissions assigned to any user.

    Important

    In Exchange 2010 SP1, you can enable mailbox audit logging to audit access to mailboxes and actions such as folder or message access and deletions by mailbox owners, delegates, and administrators. For more details, see Understanding Mailbox Audit Logging.

  • E-mail delivery disabled   Although visible in Exchange address lists, users can't send e-mail to a discovery mailbox. E-mail delivery to discovery mailboxes is prohibited by using delivery restrictions. This preserves the integrity of search results.

Exchange 2010 Setup creates one discovery mailbox with the display name Discovery Search Mailbox. You can use the Shell to create additional discovery mailboxes. By default, the additional discovery mailboxes you create won't have any mailbox access permissions assigned. For details about how to create a discovery mailbox, see Create a Discovery Mailbox.

Multi-Mailbox Search also uses a system mailbox with the display name SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} to hold Multi-Mailbox Search metadata. System mailboxes aren't visible in the Exchange Management Console (EMC) or in Exchange address lists. Before removing a mailbox database where the Multi-Mailbox Search system mailbox is located, you must move the mailbox to another mailbox database.

Return to top

Users who have been added to the Discovery Management role group can perform discovery searches. To learn more about the Discovery Management role group, see Discovery Management Role Group and Management Roles earlier in this topic.

You can perform a discovery search using the Web-based interface in the ECP, as shown in the following figure. This makes it easier for non-technical users such as records managers, compliance officers, or legal and HR professionals to use Multi-Mailbox Search. You can also use the Shell to perform discovery searches.

Note

In a hybrid deployment, which is an environment where some mailboxes exist on your on-premises Mailbox servers and some mailboxes exist in a cloud-based organization, you can perform discovery searches of your cloud-based mailboxes using the ECP in your on-premises organization. If you intend to copy messages to a discovery mailbox, you must select an on-premises discovery mailbox. Messages from cloud-based mailboxes that are returned in search results are copied to the specified on-premises discovery mailbox.
For more details about hybrid deployments, see Understanding Hybrid Deployment.

Discovery search interface

Performing a mailbox search

When performing a search, a search object is created in Exchange 2010. This object can be manipulated to start, stop, modify, and remove the search. Items returned by a discovery search are copied to the discovery mailbox selected as the target mailbox for the search. Multiple searches can run concurrently.

Note

Multi-Mailbox Search is an Exchange 2010 feature. Only mailboxes located on Exchange 2010 servers can be searched using Multi-Mailbox Search. To optimize your search results, we recommend that you search no more than 2,500 mailboxes in a single search. To search more than 2,500 mailboxes, you can create multiple searches. For example, you can search the mailboxes of users in a distribution group or a dynamic distribution group.
Multi-Mailbox Search doesn't search messages in .pst files. To decrease management and legal discovery costs, we recommend provisioning archive mailboxes for users. To learn more about archive mailboxes, see Understanding Personal Archives.

The following applies to performing a discovery search:

  • Keywords   You can specify keywords and phrases to search message content. You can also use the logical operators AND, OR, and NOT. To search for an exact match of a multiple word phrase, you must enclose the phrase in quotation marks. For example, searching for the phrase "plan and competition" returns messages that contain an exact match of the phrase, whereas specifying plan AND competition returns messages that contain the words plan and competition anywhere in the message. You can also use AQS. For details, see Using Advanced Query Syntax Programmatically. For more information about advanced keyword searches, see Advanced Keyword Searches.

    Note

    Multi-Mailbox Search doesn't support regular expressions.

    You must capitalize logical operators such as AND and OR for them to be treated as operators instead of keywords. We recommend that you use explicit parenthesis for any query that mixes multiple logical operators (AND, OR, NOT, etc.) to avoid mistakes or misinterpretations. For example, if you want to search for messages that contain either WordA or WordB AND either WordC or WordD, you must use (WordA OR WordB) AND (WordC OR WordD).

  • Senders or recipients   To narrow a search, you can specify the senders or recipients of messages. You can use e-mail addresses, display names, or the name of a domain to search for items sent to or from everyone in the domain. For example, to find e-mail sent by anyone to Contoso, Ltd, specify @contoso.com in the From field in the ECP. You can also specify @contoso.com in the Senders parameter in the Shell.

  • Date range   By default, Multi-Mailbox Search doesn't limit searches by a date range. To search for messages sent during a specific date range, you can narrow the search by specifying the start and end dates. If you don't specify an end date, the search will return the latest results every time you restart it.

  • Mailboxes   Multi-Mailbox Search can search all mailboxes located on Exchange 2010 Mailbox servers in the Exchange organization, or you can specify the mailboxes to be searched. You can also specify a distribution group to include mailbox users who are members of the group.

  • Personal archive   By default, if the personal archive is enabled for a mailbox user, Multi-Mailbox Search also searches the archive mailbox. There's no option in the ECP to override this. To exclude archive mailboxes, you must use the Shell to create or modify the search.

  • Message types   By default, only e-mail messages are searched. However, you can also include the following message types to search: contacts, documents, instant messaging conversations, journal, meetings, and notes.

  • Attachments   Multi-Mailbox Search searches attachments supported by Exchange Search. Support for additional file types can be added by installing search filters (also known as an iFilter) for the file type on Mailbox servers.

  • Unsearchable items   Unsearchable items are mailbox items that can't be indexed by Exchange Search. Reasons include lack of an installed search filter for an attached file, a filter error, and encrypted messages. When creating a discovery search, you can include unsearchable items in search results.

  • Safe list   Certain file types don't contain content that can be indexed and, as a result, aren't indexed by Exchange Search. These file types aren't considered unsearchable items. Mailbox items containing these file types aren't returned in the list of unsearchable items. For more details, see Default Filters for Exchange Search.

  • Encrypted items   Because messages encrypted using S/MIME aren't indexed by Exchange Search, Multi-Mailbox Search doesn't search these messages. If you select the option to include failed items in search results, these S/MIME-encrypted messages are returned as failed items.

  • IRM-protected items   Messages protected using Information Rights Management (IRM) are indexed by Exchange Search and therefore included in discovery search results. Messages must be protected by using an Active Directory Rights Management Services (AD RMS) server in the same Active Directory forest as the Exchange 2010 Mailbox server. For more information about IRM, see Information Rights Management.

    Important

    When Exchange Search fails to index an IRM-protected message, either due to a decryption failure or because IRM is disabled, the protected message isn't added to the list of failed items. If you select the option to include failed items in search results, the results may not include protected messages that couldn't be decrypted.
    To include IRM-protected messages in a search, you can create another discovery search to return messages with .rpmsg attachments. You can use the query string attachment:rpmsg to search all protected messages. This will return all IRM-protected messages from the mailboxes searched, whether indexed or not. This may result in some duplication of search results in scenarios where one search returns messages that match the search criteria, including protected messages that have been indexed successfully. The search doesn't return protected messages that couldn't be indexed. Performing a second search for all protected messages also includes protected messages that were successfully indexed and returned by the first search. Additionally, the protected messages returned by the second search may not match the search criteria such as keywords used for the first search.

  • Deduplication   In Exchange 2010 SP1, you can enable deduplication of discovery search results to copy only one instance of a unique message to the discovery mailbox. Deduplication has the following benefits:

    • Lower storage requirement and smaller discovery mailbox size due to reduced number of messages copied.

    • Reduced workload for discovery managers, legal counsel, or others involved in reviewing discovery search results.

    • Reduced cost of discovery, depending on the number of duplicate items in search results.

    If you select a discovery mailbox located on an Exchange 2010 server that hasn't been upgraded to Exchange 2010 SP1, deduplication of search results isn't performed. To use deduplication, you must select a discovery mailbox located on an Exchange 2010 SP1 Mailbox server.

  • Search result estimates   When creating a discovery search in Exchange 2010 SP1, the discovery manager can select the option to estimate the search results before deciding whether to copy messages returned by the search to the discovery mailbox. The search result estimate includes the total number of items returned by the search, their total size, and a breakdown of items returned for each keyword specified. A search estimate provides the following benefits:

    • The discovery manager can determine the effectiveness of the search query. Using search estimates, a discovery manager can perform a what-if analysis of search queries and keywords, and then create more effective queries.

    • The discovery manager can avoid copying a large number of items that may not meet the requirements or the purpose of the search, but still need to be reviewed.

    • In scenarios where a search query results in a large number of items that need to be copied, the discovery manager can work with the Exchange administrator to determine if adequate storage is available to store the results in the discovery mailbox.

    Note

    Deduplication isn't considered when calculating search result estimates. When you run the search again with the option to copy messages to a discovery mailbox, the actual number of messages copied may be less than the estimate provided when you use the estimate-only option.

For details about how to perform a discovery search, see Create a Discovery Search.

Return to top

Viewing Search Results

Search results are copied to the discovery mailbox selected as the target mailbox for the search. If you use a target mailbox other than the default Discovery Search Mailbox, you must assign mailbox access permissions to authorized users so they can access that discovery mailbox. Authorized users can access the mailbox using Microsoft Office Outlook Web App or Outlook.

For information about how to assign Full Access mailbox permissions for a mailbox, see Manage Full Access Permissions.

If a discovery manager selects the option to copy search results to a discovery mailbox, a folder with the same name as the search is created in the target mailbox. To store messages returned from that mailbox, a subfolder is created for each mailbox searched. The folder name consists of the mailbox user's display name along with the date and time when the search was created. Messages are copied to a folder that has the same name as their location in the searched mailbox. For example, if the search name is Discovery-ProjectContoso, and a message located in the Inbox folder in Paul Shen's primary mailbox is returned, the folder hierarchy created in the discovery mailbox would be Discovery-ProjectContoso -> Paul Shen-9/4/2009 3:57:10 PM -> Primary Mailbox > Inbox. Any message flags, including read/unread status and follow-up flags, are maintained.

Note

If the discovery manager selects the deduplication option, a single instance of messages found in multiple locations across all mailboxes searched is copied to the Results - <timestamp> folder. If the discovery manager selects the full logging option for the search, the search log contains an entry for each instance of the message.

Annotations

In Exchange 2010 SP1, when a discovery manager reviews messages copied to a discovery mailbox, he or she can add annotations to the message. The discovery manager can then search the discovery mailbox for messages with annotations containing specific words or phrases.

Discovery managers can use annotations to associate a case number or another unique identifier with a message, making it easy to search for all items with that number.

Note

Annotations are stored with the message in the discovery mailbox. If you deliver messages to a third party, consider that the information in annotations may be accessible to the third party. We recommend that you not store any confidential information in annotations.

Return to top

Logging of Discovery Searches

There are two types of logging available for discovery searches:

  • Basic logging   Basic logging is enabled by default for all mailbox searches. It includes information about the search and who performed it. Information captured about basic logging appears in the body of the e-mail message sent to the mailbox where the search results are stored. This message is located in the folder created to store search results.

  • Full logging   Full logging includes information about all messages returned by the search. This information is provided in a comma-separated value (.csv) file attached to the e-mail message that contains basic logging information. The name of the search is used for the .csv file name. This information may be required for compliance or record-keeping purposes. To enable full logging, you must select Enable full logging in the ECP or specify the logging level using the LogLevel parameter in the Shell. In Exchange 2010 SP1, the .csv log file is included in a compressed (.zip) file.

Note

When using the Shell to create or modify a search, you can also disable logging.

For details, see Multi-Mailbox Search Logging.

Return to top

Litigation Hold and Discovery

As part of discovery requests, you may be required to preserve mailbox content until a lawsuit is disposed. To preserve mailbox content, messages deleted or altered by the mailbox user must also be preserved. In Exchange 2010, this is accomplished by using litigation hold.

When a mailbox is placed on litigation hold, messages and other mailbox items deleted by the user, and all instances of changes made to certain properties of mailbox items, are preserved in the Recoverable Items folder. To learn more about litigation hold, see Understanding Litigation Hold. For details about how to place a mailbox on litigation hold, see Place a Mailbox on Litigation Hold.

Return to top

Preserving Mailboxes for Discovery

When an employee leaves an organization, it’s a common practice to disable or remove the mailbox. After you disable a mailbox, it is disconnected from the user account but remains in the mailbox database for a certain period, 30 days be default. The Managed Folder Assistant does not process disconnected mailboxes and any retention policies or managed folder mailbox policies are not applied during this period. You can’t search content of a disconnected mailbox. Upon reaching the deleted mailbox retention period, the mailbox is purged from the mailbox database.

If your organization requires that retention settings be applied to messages of employees who are no longer in the organization or if you may need to retain an ex-employee’s mailbox for an ongoing or future discovery search, you must not disable or remove the mailbox. You can take the following steps to ensure the mailbox can’t be accessed and no new messages are delivered to it.

  1. Disable the Active Directory user account using Active Directory Users & Computers or other Active Directory or account provisioning tools or scripts. This prevents mailbox logon using the associated user account.

    Important

    Users with full access mailbox permission will still be able to access the mailbox. To prevent access by others, you must remove their full access permission from the mailbox. For more information about how to remove Full Access permissions on a mailbox, see Manage Full Access Permissions.

  2. Set the message size limit for messages that can be sent from or received by the mailbox user to a very low value, 1 KB for example. This prevents delivery of new mail to and from the mailbox. For more information about how to configure message size limits for a mailbox, see Configure Message Size Limits for a Mailbox or a Mail-Enabled Public Folder.

  3. Configure delivery restrictions for the mailbox so nobody can send messages to it. For details, see Configure Message Delivery Restrictions

Important

You must take the above steps along with any other account management processes required by your organization, but without disabling or removing the mailbox or the associated user account.

When planning to implement mailbox retention for messaging retention management or discovery, you must take employee turnover into consideration. Long-term retention of ex-employee mailboxes will require additional storage on Mailbox servers and also result in an increase in Active Directory database because it requires that the associated user account be retained for the same duration. Additionally, it may also require changes to your organization’s account provisioning and management processes.

 © 2010 Microsoft Corporation. All rights reserved.