Have you ever been in a situation whereby a client, friend, colleague, Executives etc. sends or receives and email and all of the sudden, the world comes to an end and you need to remove those emails. Today, I would like to run through some commands which can aid you in this emergency situation. I am sure many out know how to run tracking logs. But running certain criteria matching can be time consuming and in an emergency situation, you will need to match criteria quickly. Imagine an email being forwarded in the queues with 100’s if not 1000’s of users. Then you have a really big issue. Therefore, we will run through some commands with common searches which you may require on the spot.
Let us look at some basic commands:
User Level:
Search-Mailbox -Identity User@domain.com -SearchQuery ‘Subject:” Example of subject line”‘ –DeleteContent
Domain Level:
Search-Mailbox -Identity *@domain.com -SearchQuery ‘Subject:”Example of subject line”‘ –DeleteContent
Very Large Domain Level:
Get-Mailbox *@domain.com –ResultSize Unlimited | Search-Mailbox -SearchQuery ‘Subject:”Example of subject line”‘ –DeleteContent
Now to run against single or multiple criteria’s you need to amend the SearchQuery. And knowing what parameters can be searched is the key. These parameters are tied to Message properties and search operators for In-Place eDiscovery. Here are some of the parameters (Search Operators):
| Property | Property description | Examples | Search results returned by the examples |
| Attachment | The names of files attached to an email message. |
attachment:annualreport.ppt attachment:annual* |
Messages that have an attached file named annualreport.ppt. In the second example, using the wildcard returns messages with the word “annual” in the file name of an attachment. |
| Bcc | The BCC field of an email message.1 |
bcc:pilarp@contoso.com bcc:pilarp bcc:”Pilar Pinilla” | All examples return messages with Pilar Pinilla included in the Bcc field. |
| Category |
The categories to search. Categories can be defined by users by using
Outlook or Outlook Web App. The possible values are: blue green orange purple red yellow | category:”Red Category” | Messages that have been assigned the red category in the source mailboxes. |
| Cc | The CC field of an email message.1 |
cc:pilarp@contoso.com cc:”Pilar Pinilla” | In both examples, messages with Pilar Pinilla specified in the CC field. |
| From | The sender of an email message.1 |
from:pilarp@contoso.com from:contoso.com | Messages sent by the specified user or sent from a specified domain. |
| Importance | The importance of an email message, which a sender can specify when sending a message. By default, messages are sent with normal importance, unless the sender sets the importance as high or low. |
importance:high importance:medium importance:low | Messages that are marked as high importance, medium importance, or low importance. |
| Kind |
The message type to search. Possible values: contacts docs faxes im journals meetings notes posts rssfeeds tasks voicemail |
kind:email kind:email OR kind:im OR kind:voicemail | Email messages that meet the search criteria. The second example returns email messages, instant messaging conversations, and voice messages that meet the search criteria. |
| Participants | All the people fields in an email message; these fields are From, To, CC, and BCC.1 |
participants:garthf@contoso.com participants:contoso.com |
Messages sent by or sent to garthf@contoso.com. The second example returns all messages sent by or sent to a user in the contoso.com domain. |
| Received | The date that an email message was received by a recipient. |
received:04/15/2014 received>=01/01/2014 AND received<=03/31/2014 | Messages that were received on April 15, 2014. The second example returns all messages received between January 1, 2014 and March 31, 2014. |
| Recipients | All recipient fields in an email message; these fields are To, CC, and BCC.1 |
recipients:garthf@contoso.com recipients:contoso.com |
Messages sent to garthf@contoso.com. The second example returns messages sent to any recipient in the contoso.com domain. |
| Sent | The date that an email message was sent by the sender. |
sent:07/01/2014 sent>=06/01/2014 AND sent<=07/01/2014 | Messages that were sent on the specified date or sent within the specified date range. |
| Size | The size of an item, in bytes. |
size>26214400 size:1..1048576 |
Messages larger than 25 MB. The second example returns messages from 1 through 1,048,576 bytes (1 MB) in size. |
| Subject | The text in the subject line of an email message. |
subject:”Quarterly Financials” subject:northwind |
Messages that contain the exact phrase “Quarterly
Financials” anywhere in the text of the subject line. The second example returns all messages that contain the word northwind in the subject line. |
| To | The To field of an email message.1 |
to:annb@contoso.com to:annb to:”Ann Beebe” | All examples return messages where Ann Beebe is specified in the To: line. |
To reference more items, can be found in a deep dive article on the Microsoft. Article
However, here are some key searches which the above combining the a basic Search Query, this can be done quickly.
User Level:
Search-Mailbox -Identity User@domain.com -SearchQuery From:sender@domain.com –DeleteContent
Domain Level:
Search-Mailbox -Identity *@domain.com -SearchQuery From:sender@domain.com –DeleteContent
Very Large Domain Level:
Get-Mailbox *@domain.com –ResultSize Unlimited | Search-Mailbox -SearchQuery From:sender@domain.com –DeleteContent
This should help you with a combination of Excel to quick write up some fancy queries and keep the mailboxes clean.
Leave a Reply