Exchange 2010 includes the capability to ensure that deleted items are retained within the dumpster till the deleted item retention period. This prevents accidentally or maliciously deleted items from being deleted permanently, and allows an administrator to recover such items. This feature is known as Single Item Recovery and it enables organizations to change their backup paradigms (i.e., you no longer need to maintain backups for single item recovery), and to retain and allow discoverability of the data to meet compliance requirements.

A while back, I blogged about the mechanics of the Single Item Recovery features included in Exchange 2010. In this post, I discuss how you can utilize this functionality to recover accidentally or maliciously deleted items.

Essentially there are two steps:

  1. Search – Determining the location of the missing items.
  2. Recovery – Retrieving the missing items.

Remember, in order to discover and recover the data, each mailbox needs to have Single Item Recovery enabled prior to the accidental purge event. Therefore, we recommend enabling Single Item Recovery for mailboxes as part of the Exchange 2010 upgrade process.

The Scenario

Ross sent his administrative assistant, Julie, a message regarding his upcoming trip to Seattle, specifically requesting Julie to book his itinerary. Unfortunately, before she could work on Ross’ request, Julie shift-deleted the message while cleaning out her mailbox. Like most users, Julie has done this before and is familiar with the Recover Deleted Items capability within Outlook. However, this time, Julie made the mistake of clicking the delete button for the message in question instead of clicking the recover button. Panicking, Julie calls Help Desk to request recovery of the item.

Step 1: Search

The help desk ticket results in a workflow process that is performed by an IT administrator who has necessary rights to perform searches (in this scenario, the Help Desk technician’s user account has been delegated the Discovery Management role).

Note: By default, no accounts have the ability to perform mailbox searches. You can either create a custom role group to allow an administrator to search only a subset of mailboxes, or add the administrator to the Discovery Management built-in role group (which allows them to search all mailboxes in the Exchange organization) by using the following command:
Add-RoleGroupMember "Discovery Management" -Member <user account>

The Help Desk technician has two choices for performing discovery, and the choice will depend on the target user’s client access license (CAL):

  1. If the users included in the search have Standard CALs, the Help Desk technician can only use the Search-Mailbox cmdlet.
  2. If the users included in the search have Enterprise CALs, the Help Desk technician can also use the New-MailboxSearch cmdlet, or the Multi-Mailbox Search feature in the Exchange Control Panel (ECP).

In Julie’s case, she provided the Help Desk technician with the following information:

  • The message was sent from her boss.
  • The message contains the word “Seattle”.

Searching messages by using Search-Mailbox

When a mailbox with a Standard CAL will be searched, the Search-Mailbox cmdlet will be used. The Search-Mailbox cmdlet requires the following information:

  • The mailbox to be searched
  • The search query criteria
  • The mailbox and folder where the results will be placed
  1. Knowing this information, the Help Desk technician executes the following command from the Shell:

    Search-Mailbox sec -SearchQuery "from:'boss' AND seattle" -TargetMailbox "Discovery Search Mailbox" -TargetFolder "Secretary Recovery" -LogLevel Full

    Note: Search-Mailbox does not allow the target mailbox to be the same as the source mailbox. Search-Mailbox does allow you to be very specific in your search criteria. Besides scoping the search with the SearchQuery parameter using Advanced Query Syntax (AQS), in Exchange 2010 SP1 you can also use the SearchDumpsterOnly switch to search only items in the dumpster.

    The Help Desk technician receives the following output:

    RunspaceId : fb25cadf-a63f-4e88-8567-cb4ae1b30ade
    Identity : corp.contoso.com/Users/Secretary
    TargetMailbox : corp.contoso.com/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
    TargetPSTFile :
    Success : True
    TargetFolder : \Secretary Recovery\Secretary-4/14/2010 6:28:33 AM
    ResultItemsCount : 1
    ResultItemsSize : 1.577 KB (1,615 bytes)

  2. The Help Desk technician then logs into OWA and opens the Discovery Search Mailbox via the Open Other Mailbox option:

    Note: The OWA and ECP screenshots are from Exchange 2010 SP1. These are preliminary screen shots from pre-Beta software that are subject to change before the final release of SP1.

  3. The Help Desk technician navigates the folder structure within the Discovery Search Mailbox and verifies that he has recovered the item in question:

Searching messages by using Multi-Mailbox Search

When a mailbox with an Enterprise CAL will be searched, the administrator can use the Multi-Mailbox Search feature in the Exchange Control Panel. The Help Desk technician takes the following steps:

  1. He launches the Exchange Control Panel via https://mail.contoso.com/ecp and logs on using his credentials.
  2. From the Options drop-down, he selects Manage My Organization.
  3. He clicks on Service Level and selects the Mailbox Searches applet.
  4. He clicks New to create a new search request which requires at least the following information:
    1. The search query criteria
    2. The mailbox to be searched
    3. The mailbox and folder where the results will be placed
  5. When the results are obtained, he can either click on the [Open] link in the Mailbox Searches Results pane, or open the Discovery Search Mailbox via the Open Other Mailbox option from within OWA.
  6. He navigates the folder structure within the Discovery Search Mailbox and verifies that he has recovered the item in question:

Step 2: Recovery

At this point the Search phase is complete and the Recovery phase begins. There are two options for how to recover and return the item back to the user and it depends on the version of Exchange 2010 you have deployed:

  1. If you are running Exchange 2010 RTM or later, you can utilize the Search-Mailbox cmdlet to restore the item back to the user.
  2. If you are running Exchange 2010 SP1, you can utilize the PST import and export cmdlets to restore the item back to the user.

Search-Mailbox Recovery Process

  1. The Help Desk technician executes the following command from the Shell:

    Search-Mailbox "Discovery Search Mailbox" -SearchQuery "from:'boss' AND seattle" -TargetMailbox sec -TargetFolder "Recovered by HelpDesk" -LogLevel Full -DeleteContent

    He receives the following output:

    RunspaceId : fb25cadf-a63f-4e88-8567-cb4ae1b30ade
    Identity : corp.contoso.com/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
    TargetMailbox : corp.contoso.com/Users/Secretary
    TargetPSTFile :
    Success : True
    TargetFolder : \Recovered by HelpDesk\Discovery Search Mailbox-4/14/2010 6:32:49 AM
    ResultItemsCount : 1
    ResultItemsSize : 1.577 KB (1,615 bytes)

  2. He notifies Julie that the item is recovered. Julie logs into her mailbox and verifies she has the correct item:

It’s important to note that due to the two-step process involved with Search-Mailbox (copying the results to the Discovery Mailbox and then copying the results back to the user’s mailbox) the hierarchy is same for the end user – the root of the Discovery Search Mailbox, as well as the folder target that was used to place the item in the Discovery Search Mailbox, are both visible.

PST Export/Import Recovery Process

Exchange 2010 SP1 includes infrastructure that allows administrators to perform bulk import and export of PST files without requiring the installation of the Outlook client. This infrastructure, supported by the cmdlets *-MailboxImportRequest and *-MailboxExportRequest, leverages the Mailbox Replication Service and the framework that exists for moving mailboxes between databases (see Understanding Move Requests for more information).

To use this functionality, two prerequisites must be met:

  1. The person performing the import or export must have the appropriate permissions within Exchange. By default, no RBAC role group provides this functionality. To grant the ability for a help desk administrator, compliance officer, or Exchange administrator to perform bulk import/export capabilities against all mailboxes, the following commands must be executed:

    New-RoleGroup "Mailbox Import-Export Management" -Roles "Mailbox Import Export"
    Add-RoleGroupMember "Mailbox Import-Export Management" -Member <user account>

    The first command creates a new role group that grants access to the *-MailboxImportRequest and *-MailboxExportRequest cmdlets. The second command adds a user to the role group.

  2. The Exchange Trusted Subsystem security group must have Full Control/Owner permissions on the file share that will be used to temporarily store the PST files.

In this scenario, the Help Desk technician is a member of the Mailbox Import-Export Management role group and thus can utilize the Import and Export cmdlets. The Help Desk technician:

  1. Runs the following command from the Shell to export the recovered data from the Discovery Search Mailbox to a PST file:

    New-MailboxExportRequest -Mailbox "Discovery Search Mailbox" -FilePath "\\exchsvr\HelpDeskPst\SecretaryRecovery.pst" -ContentFilter {Subject -eq "april travel plans"} -SourceRootFolder "Secretary Recovery"

  2. Runs the following command from the Shell to import the recovered data into Julie’s mailbox:

    New-MailboxImportRequest -Mailbox sec -FilePath "\\exchsvr\HelpDeskPst\SecretaryRecovery.pst" -TargetRootFolder "Recovered By HelpDesk"

  3. Notifies Julie that the item is recovered.

At this point, Julie logs into her mailbox and verifies she has the correct item:

Conclusion

Exchange 2010 provides you the means to ensure data is not deleted from the system prior to the expiration of its deleted item retention. In the event that a message is accidentally or maliciously purged from the user’s dumpster, it can be easily recovered and restored using built-in tools.

-- Ross Smith IV