Home > Server Administration > Searching Emails in Exchange 2016

Searching Emails in Exchange 2016

Searching Email in Exchange

There comes a time in every Sys Admin’s career, at least those who manage Exchange, where they have to search out for all users who have a specific attachment in their mailbox.  This could be due to a virus that got through or your CEO accidentally sent confidential information to the entire company. So searching emails in Exchange 2016 is a very important skill you should know.

Luckily Microsoft makes searching for emails in Exchange it pretty easy to do, now it can take a while depending on the number of mailboxes and the sizes of those mailboxes.  Plus if you know me you know I love to do things via PowerShell so that is what I will show you here.

 

**Disclaimer**

These PowerShell commands are very powerful when searching for emails in Exchange.  You can delete the entire contents of a user’s mailbox or multiple user’s mailboxes if you are not careful.  I recommend that you start with the -LogOnly attribute before ever using the -DeleteContent attribute to make sure it returns what you expect.  I take zero responsibility for what happens because of improperly written and executed PowerShell scripts.

 

Well not that is out of the way let’s get to the good stuff.  Searching for emails in Exchange 2013 and 2016 is very simple with a PowerShell command called Search-Mailbox.  Search-Mailbox will allow you to search 1 or multiple mailboxes for specific emails based on a number of criteria.  This criteria can be based on Subject, Attachments, Email Contents, To, From pretty much anything in the email and you can string multiple criteria with AND to make your results very specific.

So the cmdlet we will be using is Search-Mailbox and we have the following attributes:

-EstimateResultOnly

This switch is optional and will only estimate the total number and size of messages returned.  This cannot be used with the -TargetMailbox attribute

-Identity

This is how you tell Exchange which mailbox(s) to search.  This can be multiple things such as alias, email address, domain\account, UPN, Distinguished Name

-TargetMailbox

This attribute is the mailbox where you want the results of your search to go, or where you want the emails to be copied to

-TargertFolder

This is the folder within the target mailbox you want the results to be sent to.

-DeleteContent

This command will delete the messages found by the search.  If you don’t want copies of these emails saved then don’t specify the -TargetMailbox, -TargetFolder, or -LogLevel

-SearchQuery

This is where you define the attributes of the search.

-LogOnly

This attribute will only log the results and will not copy or delete anything from the searched mailboxes

-LogLevel

This is the level of logging that you want.  We can choose from Suppress, Basic, or Full

 

For a full list of attributes for the Search-Mailbox cmdlet check out this link https://technet.microsoft.com/en-us/library/dd298173(v=exchg.160).aspx

So let me show you a couple of examples:

This example will search the mailbox mike@thesysadminguru.com for any emails that contain “Great new article” in the subject.  It will then copy of the matching emails to the mailbox “Search” in the folder “Results”

Search-Mailbox “mike@thesysadminguru.com” -SearchQuery ‘Subject:”Great new article”’ -TargetMailbox Search -TargetFolder Results

 

This example will search the mailbox mike@thesysadminguru.com for any emails that contain “Great new article” in the subject.  It will then it will Log a list of results and save that list to the mailbox “Search” in the folder “Results”.  Because we are using the -LogOnly attribute no emails will be copied over.

Search-Mailbox “mike@thesysadminguru.com” -SearchQuery ‘Subject:”Great new article”’ -TargetMailbox Search -TargetFolder Results -LogOnly -LogLevel Full

 

This example will search the mailbox mike@thesysadminguru.com for any emails that contain “Great new article” in the subject.  It will then copy those emails to the mailbox “Search” in the folder “Results” and it will then delete the messages from the source mailbox.

Search-Mailbox “mike@thesysadminguru.com” -SearchQuery ‘Subject:”Great new article”’ -TargetMailbox Search -TargetFolder Results -DeleteContent

 

I encourage you to setup a test mailbox and play with these commands to become familiar with them.  

Facebooktwittergoogle_plusredditpinterestlinkedinmail