How many times have you sent the wrong email to the wrong person(s) and wished that the Outlook Recall function actually worked? What about the person that does a Reply All to the “All Users” Distribution group? Every Microsoft Exchange administrator knows these things happen with startling frequency and is probably chuckling at the idea Outlook Recall is reliable.
As Exchange administrators we are sometimes tasked with performing ninja operations such as a behind-the-scenes cleanup in user mailboxes, often without them knowing it ever happened. In Exchange 2010/2013, you can remove email from users’ mailboxes discretely, allowing all of us Exchange administrators to be that ninja only without the black pajamas or the blood, sweat, and tears.
In the good old days of Exchange 2003/2000/5.5, there were MFCMAPI and MDBVU32.exe, MAPI tools that can be used on an Exchange Server to aid in troubleshooting Information store issues. You could also use them to locate and delete raw objects directly from the store. Searching and deleting with this method was not an easy task and could take hours to complete depending on how many mailboxes and messages you were trying to delete. Fast forward to Exchange 2010/2013. Deleting emails is now down to a few PowerShell cmdlets, letting you finish your ninja work in a matter of minutes.
The ability to perform mailbox searches can still be done through the Exchange Control Panel ( 2010) or the Exchange Admin Center ( 2013) but it’s slower than using PowerShell and you can’t delete. Searching and deleting emails can only be done through PowerShell.
With Exchange 2010/2013 you can use the Search-Mailbox cmdlet to search users’ mailboxes for messages, then either copy the results to another mailbox or even delete them. The ability to copy the results to another mailbox, typically a discovery mailbox, is a great option as it lets you review the results first and avoid deleting the wrong messages.
If you are confident that your search filter is accurate, you can also delete directly from the mailbox. As a precaution I recommend sending the search results to a Discovery mailbox so you can review the results to make sure there are no false positives. Delete the wrong emails could be a serious mistake.
Before performing searches and content deletions, you need to make sure that you have been given the Mailbox Import Export Role and the Mailbox Search Role. You will also need to have full access permissions to the Discovery Mailbox so that you can open the mailbox and review the results. Read more about Exchange permissions and role groups on the Microsoft TechNet site.
The Search-Mailbox cmdlet can be used for something as simple as deleting a specific message or searching for all items in a mailbox with the subject “Sales with Jimmy Choos”. The DeleteContent switch permanently deletes the messages returned by the search without copying the messages to another mailbox. If you use the DeleteContent switch you will be prompted to confirm that you want to delete the content from the mailbox. If you want to suppress the delete confirmation warnings, you can use the force switch.
Use the following commands to search a specific mailbox for a specific subject or keywords and delete the emails.
Search-Mailbox -Identity "username or alias" -SearchQuery 'Subject:" Your query "' -DeleteContent
Search a specific mailbox for a specific subject or keywords and delete the emails
Sometimes such ninja work involves a wider scope. Let’s say you’re searching for a confidential email with the subject “Schmitty 1234” that was sent to All Users. You can use the Get-Mailbox and the Search-Mailbox cmdlet to locate the specified messages and delete them from the mailboxes directly. You will be prompted to confirm deletion for all the mailboxes once the search has completed. If you want to suppress the delete confirmation warnings you can use the force switch.
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery 'Subject:"Your query"' –DeleteContent
Searching for a confidential email sent to All Users with the subject line
What if you don’t remember the subject of the problem email but you do know it was about the big Jimmy Choo sale going on next week? In this circumstance you can search users’ mailboxes based on keywords in the message and send the results to a target mailbox for review.
Using the TargetMailbox and TargetFolder parameters items the search returns are copied to the another mailbox. When the search is completed, use the Outlook Client or OWA to access the target mailbox and review the results.
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery 'Your Query ' -TargetMailbox "Search Mailbox Name" -TargetFolder "Your Target folder"
If you want to delete the messages from the mailboxes and also copy them to another mailbox for review, you would add the DeleteContent switch to your cmdlet.
Get-Mailbox -ResultSize Unlimted | Search-Mailbox -SearchQuery 'Your Query ' -TargetMailbox "Search Mailbox Name " -TargetFolder "Your Target folder" –DeleteContent
Instead of searching all mailboxes, you can also search through a list of mailboxes names if you have a list in a text file. To do this you would use this command:
get-content users.txt | Get-Mailbox -ResultSize Unlimted | Search-Mailbox -SearchQuery 'Your Query ' -TargetMailbox "Search Mailbox Name " -TargetFolder "Your Target folder"
Search through a list of mailboxes names if you have a list in a text file
Results of the search
There you have it! The next time you get a request to do some ninja work on your exchange mailboxes no need to dig out MFCMAPI or MDBVU32.exe or, worst yet, logging into someone’s mailbox, use PowerShell instead.