Now a few years ago I was asked by a security fellow if I could write him a script or some kind of application he could use to search Exchange for emails. He mentioned the famous tool Exmerge. Which was great tool btw! I told him that I would look into this and see what I could do, as anything is possible.
With that in mind I started developing a script using the new Search-Mailbox command. After a while I had a full blown script that worked pretty well. I gave that to my security folks and published that script on TechNet. Well a year later I decided to revive that effort and give that script a GUI. As well fix some bugs. One being the memory leak(I’ll review that one later in another blog).
So with out further delay I present to you MailboxSearch.
What is MailboxSearch? – Well this tool can be used to search a users mailbox or entire organization for a email by using a simple search query. You can choose the level of logging for analysis later, or purge the entire organization of that email.
System Requirements
- PowerShell 3.0 or above
- Microsoft Exchange Management Tools Installed
- Mailbox Import/Export management role assigned to purge
- 2 CPUs or More – Increase this for larger organizations *App is CPU intensive
- 8 Gigs RAM or More – Increase this for larger organizations
How do you use it you ask?
First there are currently two versions of the application. One if for Microsoft Exchange 2013, the other is for Microsoft Exchange 2010. So use the proper tool for your environment.
Download the app from the link below and unzip to your desktop
Double-click on the MailboxSearch.exe to launch. Start up will take a few mins as it builds the resources needed.
A Please Read window will appear. Read the information displayed. If you wish to continue click yes. If not click no and the app will close. Important note – For information on structuring your search go to http://technet.microsoft.com/en-us/library/bb232132(v=exchg.141).aspx#AQS
Next is the preparing to install prompt.
On the next screen you can leave the install path default. if you wish to change it you can, it just creates a directory for the logs. Click ok to continue
The next window is the meat of it. Depending on your task, you will use different options.
Logging is only for option 1 and 3. As well “Enter name for new folder to store search logs is only for option 1 and 3.
If you choose to use option 2 and 4 you only need to enter your search query.
Once you enter everything click Continue. If you select option 1 or 2 a new window will appear asking you to enter the users SamAccountName
Once you enter the users SamAccountName ensure you click OK. Do not hit the enter button. If you do it will fail.
Lets perform a basic search. In this case the we are searching for a Spam email from TaxReturns@Contoso.com
When we get to the main screen, we want to modify the administrators box for the log storage. We want to enter a unique name for the folder(No Spaces). Our search query will be From:”TaxReturn@Contoso.com”. We want to click “Search for email in single mailbox”. In this case we want full logging, so we click Full under Logging Level. Then click Continue.
We want to enter the SamAccountName for the user, then select Ok.
MailboxSearch will now search the users mailbox, once its completed a screen will appear telling you the request was completed. Click Ok.
The next windows tells you the application is exiting.
Now you have two options to check if your query return any results. 1. You can check the application logs c:\Program Files\MailboxSearch\Logs.
Located in the logs will be the users information with the total number of items found.
2. Log in to the mailbox for the administrator and locate the folder you created for logs.
As you can see it has created the folder TaxScam, listed the user, and copied the email over to your admin box. You can now open that email and examine the message header or deleted them from the user with the search query and option 2.
That’s it! Once you have confirm the search query works, you can then purge those emails from your environment or for certain users.
As always hope this helps!
Download E2k10 Version MailboxSearche2k10
Download E2k13 Version MailboxSearche2k13
