Using Exchange Server 2010 e-discovery (Multi-mailbox search)
Exchange Server 2010 has tons of new features and using the new permission model RBAC (Role Based Access Control) we can assing a regular user to do legal search on the users' mailboxes. In this post I'm going over this process in the Exchange Server 2010 Beta, our scenario is that we want to use a Mail Enabled Security Group called Legal Group and all users that belong to this group will have the ability to do a search in our Exchange Organization.
Okay, our user responsible to do the legal search is called Auditor, and we need to add him into our Legal Group that we have just created. As soon as we have these steps done, we can assign the DiscoveryManagement role to that group using the following cmdlet:
Now, the Auditor user can run /ECP">https://<cas-server>/ECP, and in the dropdown list (Select what to manage) make sure that My Organization is selected and you you will see on the left site the item Reporting, as demonstrated in the figure below.
Permissions done! Time to create a query to demonstrate the feature. Our legal team is searching for the word gremio (which is the best soccer team in the world! :) If you want to know what I'm talking about, you can check http://www.gremio.net/home/Default.aspx?language=1) and we are going to configure some options in our search.
During the search creation process we have 6 main sections (Keywords, Messages to and From Specific E-mail Addresses, Date Range, Mailboxes to Search and Search Name and Storage Location) and we can play with them to get better results based in all those criterias.
The Keywords, Messages To and From Specific E-mail Addresses, and Date Range sections can be seen in the figure below. Basically, the keywork will be the best soccer team of the world (gremio) and we are not going to speciy who send or receive the message, and we are not going to customize date range for our search.
In Mailbox to Search section we can select all mailboxes or a specific set of mailboxes. Finally, in the Search Name and Storage Location section, we are going to define the rule name and which mailbox will receive the results, we can also configure the search to send a message as soon as it finishes the process. To conclude the process click on Save.
We can see that the status still in progress. Let's wait for the results..
Okay, done! We can see that we have some issues, it happened because the mailbox store wasn't available during the search process.
Let's check the results. Let's log on as Audit user, and we can see that our search name has a folder in the root of our mailbox, and its subfolders represents each mailbox where that string was found. Using some of the new features of OWA, we can see the conversation thread. Isn't cool?
ECP is a really nice interface but sometimes the admin wants to do the process using the well-known PowerShell and we can accomplish the same tasks using Get-MailboxSearch, New-MailboxSearch, Start-MailboxSearch, Stop-MailboxSearch and Remove-MailboxSearch cmdlets. Using those cmdlets we can create the same query that we have just created using ECP interface, also we can some extra options, such as: use the archive, search the dumpster.