Find and delete messages in Exchange 2010.

My scenario:

I sent a message to John Doe with the subject, “Exchange training.” So we will search for the message, confirm that it is correct and then delete it from his mailbox.

To search John Doe’s mailbox for a message with the subject “Exchange” use the Search-Mailbox cmdlet.

Search-Mailbox -Identity jdoe -SearchQuery “Subject:Exchange” -TargetMailbox “DiscoveryMailbox” -TargetFolder “John Doe Query”

This will run a search on his mailbox and return a copy of all messages with that have the word ‘Exchange’ in the subject and place the copy in the DiscoveryMailBox in a folder called John Doe Query. It should be noted that this just creates a copy of the mail, it does not affect the user’s mail at all. Use this to verify that your query is working correctly or if for some discovery purpose you needed to verify the contents of a message.

The problem with the above query is that John Doe has hundreds of messages with the word Exchange in the subject and I don’t not want to delete all of them, so lets refine the query more to find the exact message. I will change the -SearchQuery to

-SearchQuery “Subject:Exchange”,”From:wsmith”,”Sent:today”

Combining the multiple queries together will give me the exact message I am looking for. The word “Exchange” in the subject and sent today from the user William Smith. Now that I have confirmed that it returns the message I want and ONLY the message I want, I can delete it.

Search-Mailbox -Identity jdoe -SearchQuery “Subject:Exchange”,”From:wsmith”,”Sent:today” -DeleteContent

Now in a more realistic scenario, lets say we are hit with a virus from the address “Kittenpictures@cuteyanimals.com” that spreads its payload through an attachment called OMGSOCUTE.pptx and its tearing its way through the staff. Lets search through all mailboxes in the company and delete every instance of the message.

Get-Mailbox -resultsize unlimited | Search-Mailbox -SearchQuery “From:Kittenpictures@cuteyanimals.com”,”Attachment:OMGSOCUTE.pptx” -DeleteContent

This will crawl through every mailbox to find and delete each message. This will take a very long time, but could probably be sped up if you added a time frame to the query, “Sent:last week”.

I highly suggest you read Microsoft’s documentation before using this command. You can permanently delete a user’s mailbox, know what you are doing before you hit [enter].
TechNet Documemtation: http://technet.microsoft.com/en-us/library/dd298173.aspx

Leave a Reply

Your email address will not be published. Required fields are marked *