Search-Mailbox (Exchange 2010)
Use the Search-Mailbox cmdlet to search a mailbox and copy the results to a specified target mailbox, delete messages from the source mailbox, or both.
Note: You may have to set:
-TargetMailbox “DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}”
Organiazation Wide Search
|
1 |
Get-mailbox -resultsize ‘unlimited’| Search-Mailbox -Identity “<user>” –SearchQuery “<AQS conditions>” –TargetMailbox “Discovery Search Mailbox” –TargetFolder “SearchandDeleteLog” |
Searching and Pull Content:
|
1 |
Search-Mailbox -Identity “<user>” –SearchQuery “<AQS conditions>” –TargetMailbox “Discovery Search Mailbox” –TargetFolder “SearchandDeleteLog” |
Searching and Pull Content, Example 1 (Simple Search):
|
1 |
Search-Mailbox -Identity “USER” –SearchQuery “from:sender@company.com” –TargetMailbox “Discovery Search Mailbox” –TargetFolder “SearchandDeleteLog” |
• searches USER mailbox, as indicated in the -Identity parameter
• uses the AQS query that says, “find anything between January 1 and January 31 AND includes the word hookup in the message body”
• creates a full log of operations but doesn’t do anything except log what you do
• puts the results in the Search Results folder of the AdminMailbox mailbox
Searching and Pull Content, Example 2 (Search and pull e-mails between 6/1/2017 to 6/4/2017):
|
1 |
Search-Mailbox “<user>” –SearchQuery “Received:6/1/2017..06/4/2017” –TargetMailbox "Discovery Search Mailbox" -TargetFolder "SearchAndDeleteLog" |
Searching and Pull Content, Example 3 (Search and pull e-mails with size falling between 1000 and 900000 bytes):
|
1 |
Search-Mailbox “<user>” -SearchQuery “size:1000..900000” –TargetMailbox "Discovery Search Mailbox" -TargetFolder "SearchAndDeleteLog" |
Searching and Pull Content, Other Examples:
|
1 2 3 4 5 |
-SearchQuery "kind:meetings" -SearchQuery "to:Test_DistributionGroup" -SearchQuery 'attachment:"FLIGHT_TICKET_A83722571.htm"' -SearchQuery {Subject:"Wire Payment Request" AND From:adamante@hotmail.com AND Sent:"04/19/2017"} -SearchQuery {From:sarah@aol.com AND To:dgonzalez@yahoo.com} |
Search and Log Content:
|
1 |
Search-Mailbox -Identity "<user>" -SearchQuery "<AQS conditions>" -TargetMailbox "Discovery Search Mailbox" -TargetFolder "SearchAndDeleteLog" -LogOnly -LogLevel Full |
Search, Delete, and Log Content:
|
1 |
Search-Mailbox -Identity "<user>" -SearchQuery "<AQS conditions>" -TargetMailbox "Discovery Search Mailbox" -TargetFolder "SearchAndDeleteLog" -LogLevel Full -DeleteContent |
Deleting Content:
|
1 |
Search-Mailbox -Identity "<user>" -SearchQuery ‘<AQS conditions>’ -DeleteContent –force |
Deleting Content, Example 1
|
1 |
Search-Mailbox -Identity "USER" -SearchQuery 'subject:"Example Subject" AND Received:< 01/01/2010 AND from:sender@domain.com' -DeleteContent –force |
• Searches User mailbox, as indicated in the -Identity parameter
• Users AQS query to find sender, as indicated by from: ‘sender@domain’ and subject ‘Example Subject’ and before January 1,2010
• – DeleteContent (Switch to delete messages from a mailbox)
• -force (Switch overrides the confirmation prompt displayed when your use the DeleteContent switch to permanently delete messages)
Deleting Content, Example 2 (Search Dumpster)
|
1 |
Search-Mailbox -Identity "USER" -SearchQuery 'subject:"Example Subject" AND Received:< 01/01/2010 AND from:sender@domain.com' -DeleteContent –force –searchdumpster |
• -SearchDumpster (parameter specifies whether to search the Recoverable Items folder, which is the storage location in which items deleted from the Deleted Items folder or hard-deleted items are stored until they’re purged from the mailbox database. By default, the Recoverable Items folder is always searched. To exclude the folder from the search, set the SearchDumpster switch to $false, for example,-SearchDumpster:$false
Advanced Query Syntax (AQS) Values
|
Attribute |
Value type |
Description |
Example |
|
subject |
String |
Exact phrases or keywords in subjects of items. |
subject:”invoice for” |
|
body |
String |
Any item property that contains the specified string value. |
body:microsoft |
|
attachment |
String |
Exact phrases or keywords in attachment filenames. |
attachment:specialoffer.zip |
|
to |
String |
SMTP address, display name, or alias of user in TO field. |
to:”George Kaplan” |
|
from |
String |
As above for the FROM field. |
from:i.johnson@alphaville.fr |
|
cc |
String |
As above for the CC field. |
cc:kowalski +codetwo.com |
|
bcc |
String |
As above for the BCC field. |
bcc:harry lime |
|
participants |
String |
As above for all people fields. |
participants:administrator |
|
category |
String |
Names or parts of names of default Outlook categories. |
category:category -green |
|
importance |
String |
Available values: normal, high, low. Default is “normal”. |
importance: high OR low |
|
kind |
Item type |
Available values: |
kind:email OR contacts |
|
sent |
Date |
Specific date or time range in which the item was sent. Format: MM/dd/yyyy or date interval (today, yesterday, this week, this month, last month, this year, last year) |
sent:9/1/2014..9/1/2016 sent:”last month” |
|
received |
Date |
As above for when the item was received. |
received>=1/1/2015 |
|
hasattachment |
Boolean |
True if item has at least 1 attachment. (only Exchange 2016 and Online) |
hassattachment:true |
|
isflagged |
Boolean |
True if item is flagged. (only Exchange 2016 and Online) |
isflagged:true |
|
isread |
Boolean |
True if item is read. (only Exchange 2016 and Online) |
isread:false |
|
size |
Number |
Size of item (including attachments) in bytes. |
size>1000000 |
Example 1:
|
1 |
Search-Mailbox -Identity "USER” -SearchQuery '(subject:"copy for" -sample) AND (from:user2 OR accounting)' |
• Searches User mailbox, as indicated in the -Identity parameter
• Uses AQS and KDS query to find items sent by people with “user2” or “accounting” in names or addresses
• AND the phrase “copy for” in the Subject field excluding those with the string “sample” in the Subject.
Using Operations on multiple attributes and values
- Search-Mailbox uses slightly simplified version of Microsoft’s Keyword Query Language (KQL).
- All attributes and their values listed in the table below can be combined using logical operators AND, OR and NOT(case sensitive).
- Note: +/ – can also be used as substitutes for AND/NOT.
|
Operator |
Attribute value … |
|
: |
… contains specified value (accepts numerical and text values). |
|
= |
… is equal to specified value (accepts numerical and text values). |
|
> |
… is larger than specified value. |
|
< |
… is smaller than specified value. |
|
>= |
… is larger than or equal to specified value. |
|
<= |
… is smaller than or equal to specified value. |
|
<> |
… is not equal to specified value. |
|
.. |
… falls in the range of specified values (does not accept date intervals). |
testest test