One of the improved features in Exchange 2010 is multi-mailbox searching. While you could do this to a degree in Exchange 2007 it usually required too many rights to delegate it to a compliance officer and the searches had to be run from PowerShell so it was often problematic for the user to perform these searches on their own and too burdensome for the administrator to do it on behalf of the user. The normal Exchange search you’re used to doing is still available in case of other requirements like removing an email from everyone’s mailbox (i.e. virus, inappropriate content, etc). This blog focuses on the e-discovery aspect in Exchange 2010.
In 2010 things are much improved when it comes to e-discovery. With Microsoft’s use of RBAC in 2010 you can delegate this control rather easily. Adding someone to the new Discovery Management group is all it takes to get started.
You also want to think about the target mailbox for these searches. Typically you’ll want to dedicate this type of activity to dedicated mailboxes and even databases if you’re a large company. A copy of each message matching your search criteria will end up in this mailbox even if it’s temporary so make sure you have enough resources available to store this data. For this example I’ll be using the default search mailbox that’s created when installing Exchange 2010. You’ll want to delegate control of this mailbox to the compliance officer so they will be able to open the mailbox and view the collected data.
Accessing the multi-mailbox search by the delegated individual is done by opening OWA and clicking on the Options button in the upper right corner.
This brings up the new Exchange Control Panel (ecp) in which you can perform a host of operations previously unavailable in 2007. For now we’ll focus on the e-discovery stuff. Once in the control panel, select the “My Organization” from the “Select what to manage” drop-down box.
This brings up another set up tabs for managing users, groups and reporting. For now, select the Reporting tab and click New… to create a new search.
This pops up another window allowing you to define your search criteria. At a minimum you’ll need to define your search name, mailbox scope and target mailbox. Actually you are going to want to narrow your search considerably to avoid unnecessarily long searches which might not give you what you want in addition to overburdening the system. For my test I entered some keywords to look for in the emails. I also turned on logging and the option to send you an email for additional information. Once you’re happy with the search, click on Save.
The search immediately begins and you can see the progress in the search window.
When your search has completed, you’ll receive an email similar to this one. Notice that the search partially succeeded. This is due to some of the mailboxes being on an Exchange 2007 database. If you click on the hyperlink in the message it will open the target discovery mailbox in an OWA window. You could also open the target mailbox in Outlook if that is preferred.
From here you’ll be able to view the messages collected. Expand the folders to drill down and view the messages found in your search. You’ll be able to act on these messages to further filter, categorize and narrow down your search to end up with only the ones you want.
When you’re finished with your search and want to remove it from your saved searches, please note that this will also remove the collected messages from the target discovery search mailbox. You will receive this warning if you attempt this.
While the e-discovery search feature in Exchange 2010 may not be as robust as some third party products it is still a nice alternative to having nothing at all and it’s much better than it was in 2007.