Finding Items within Multiple Exchange Mailboxes

The Exchange Problem

The need for finding items within multiple exchange mailboxes started last week when I was presented with an interesting predicament. One of the staff members from another division in the Forsythes group was receiving calendar invites for a meeting that was no longer valid.  What was worse, the user sending them no longer worked at the company. Many system engineers would look at this problem and say “Aha! I’ know what to do”. They would then go onto talk about re-enabling the account and logging in as the user and removing the entries. The interesting predicament part was the user no longer exists in Active Directory nor does their mailbox exist!

The Solution

The great news is there is a way to remove the old calendar entries that exist for her meeting and remove them from everyone else’s mailbox.  For this we needed the Exchange Management Shell and a PowerShell command Search-Mailbox.

First for us to run the command we require some setup. This setup allows us to give the right permissions to the account you’re using to be able to enumerate user mailboxes. We also need to configure another permission to allow us to delete user mailbox items. For this example I will be using the Administrator account for both running the commands and reviewing the user items.

The Prep

To setup the Administrator account we need to allow it to access and enumerate user mailboxes.

  1. Open Exchange Management Shell (EMC)ExchangeManagementShell
  2. Run Add-RoleGroupMember -Identity “Discovery Management” -Member Administrator replacing Administrator with the user that will be running the Search-Mailbox commandsAddRoleGroupMemberDiscovery
  3. Then run New-RoleGroup “Mailbox Import-Export Management” -Roles “Mailbox Import Export” to create the new Role GroupImportExportRoleGroup
  4. Finally run Add-RoleGroupMember “Mailbox Import-Export Management” -Member Administrator to add the Administrator (or your username) to the new Role GroupAddRoleGroupMemberImportExport

The first command only allows the Administrator account to go through the items in each mailbox. To enable manipulation of the items we need to create a Role Group and assign roles to it. For some reason Import and Export Role Group’s are not available by default in Exchange. We’ll call this Role Group, “Mailbox Import-Export Management” because the role of Import Export give us the ability to change items in the user mailbox. Once this is complete for the permissions to take place you must close and re-open EMC.

The Explanation – Listing Items

Now we are able to run some commands that help us find these phantom calendar entries and remove them. We’ll be using a pipe to help achieve this. The first command in the pipe will run through all user mailboxes and return it as an object. The second will run the search parameters on each mailbox, like a “for each” loop. So if we were looking for a subject like “Central Coast Jobs Meeting – All Staff”, and we wanted the search results saved into the Administrator mailbox in a folder called “Search Results”, the command would look something like this:

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -TargetMailbox Administrator -TargetFolder “Search Results” -SearchQuery ‘Subject:”Central Coast Jobs Meeting – All Staff”‘ -LogOnly -LogLevel Full -SearchDumpster

Let’s quickly go through this command.

Get-Mailbox -ResultSize Unlimited | – This command returns a list of mailbox objects and because the max return number of objects is 1000 if you have 1001 mailboxes it will not return them all. I use this as a habit to always get ALL results. Then pipe results per mailbox to next command.

Search-Mailbox -TargetMailbox Administrator -TargetFolder “Search Results”– What this part is saying is, for each mailbox, go through all the items that match the SearchQuery and put the results in the Administrator mailbox under the Search Results folder.

-SearchQuery ‘Subject:”Central Coast Jobs Meeting – All Staff”‘ – This is the search query itself, note the single quotes surrounds the search query. Double quotes contains each search query variable if it contains spaces. For example if I wanted to search for both sender and subject it would be: ‘ Subject:”Another Email Subject”‘.

-LogOnly -LogLevel Full -SearchDumpster – The last part of the command uses logging only and does not copy the actual items found to the administrator mailbox. The very last option SearchDumpster searches the Recoverable Items folder, which is where items deleted from the “Deleted Items” folder or hard-deleted items are stored until they’re purged from the mailbox database.

The Explanation – Deleting Items

Once you have confirmed the list of items returned is what you expected you can now use the same command to remove those items with just a small change:

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery ‘Subject:”Central Coast Jobs Meeting – All Staff”‘ -DeleteContent -SearchDumpster

You’ll notice that I’ve dropped off”-LogOnly -LogLevel Full” and replaced it with “-DeleteContent”. Now I’m sure I don’t have to explain the danger of using this command. Confirm you have a usable backup of Exchange before hitting enter on this one even though you’ve confirmed the command returns the expected items.

The Steps

This is how it should play out.

  1. Run Get-Mailbox -ResultSize Unlimited | Search-Mailbox -TargetMailbox Administrator -TargetFolder “Search Results” -SearchQuery ‘Subject:”Central Coast Jobs Meeting – All Staff”‘ -LogOnly -LogLevel Full -SearchDumpsterRunningSearchMailboxFirst
  2. Log into target mailbox, in this case AdministratorSearchResults
  3. Open the “Search” fileSearchResultsCSV
  4. Confirm all items in the list are what you were looking for
  5. Run Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery ‘Subject:”Central Coast Jobs Meeting – All Staff”‘ -DeleteContent -SearchDumpsterRunningSearchMailboxDeleteContentRunningSearchMailboxDeleteContentSearching
  6. Again run Get-Mailbox -ResultSize Unlimited | Search-Mailbox -TargetMailbox Administrator -TargetFolder “Search Results” -SearchQuery ‘Subject:”Central Coast Jobs Meeting – All Staff”‘ -LogOnly -LogLevel Full -SearchDumpster to confirm no results are returned.SearchMailboxSearchingZeroResultsAfterDelete

The Predicament Resolved

In my case the last search returned no results and the phantom calendar entires were no longer. It’s worth noting that Search-Mailbox really is a powerful command that has more uses than I have explained here. If you’d like to know more please don’t be afraid to hit me up with questions outside this post’s scope. Lastly please be careful with -DeleteContent, don’t say I didn’t warn you. Always have a rollback plan when using it.

Joshua Bauer
Operations Manager – Vantage Networks

If you have any questions about searching mailboxes or other PowerShell commands for Exchange, reach out.

Don’t forget to Follow us on LinkedIn!