Export (0) Print
Expand All
1 out of 3 rated this helpful - Rate this topic

Create an In-Place eDiscovery Search

 

Applies to: Exchange Server 2013, Exchange Online

Topic Last Modified: 2014-02-24

Use In-Place eDiscovery to search across all mailbox content, including deleted items and original versions of modified items for users placed on In-Place Hold.

  • Estimated time to complete: 5 minutes

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "In-Place eDiscovery" entry in the Messaging Policy and Compliance Permissions topic.

  • To create eDiscovery searches, you have to have an SMTP address in the organization that you’re creating the searches in. So in Exchange Online, you must have a licensed Exchange Online mailbox to create eDiscovery searches. In an Exchange hybrid organization, your on-premises Exchange mailbox must have a corresponding mail user account in your Office 365 organization so that you can search Exchange Online mailboxes. Or, if you sign in with an account that only exists in Office 365, such as the tenant administrator account, that account must be assigned an Exchange Online license.

  • Exchange 2013 Setup creates a Discovery mailbox called Discovery Search Mailbox to copy search results. The Discovery Search Mailbox is also created by default in Exchange Online. You can create additional Discovery mailboxes. For details, see Create a Discovery Mailbox.

  • When you create an In-Place eDiscovery search, messages returned in search results aren’t copied automatically to a discovery mailbox. After you create the search, you can use the Exchange Admin Center (EAC) to estimate and preview search results or copy them to a discovery mailbox. For details, see:

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard Shortcuts in the Exchange Admin Center.

TipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

As previously explained, to create eDiscovery searches, you have to sign in to a user account that has an SMTP address in your organization.

  1. Go to Compliance management > In-place eDiscovery & hold.

  2. Click New Add Icon.

  3. In In-Place eDiscovery & Hold, on the Name and description page, type a name for the search, add an optional description, and then click Next.

  4. On the Mailboxes page, select the mailboxes to search. You can search across all mailboxes or select specific ones to search.

    ImportantImportant:
    You can’t use the Search all mailboxes option to place all mailboxes on hold. To create an In-Place Hold, you must select Specify mailboxes to search. For more details, see Create or Remove an In-Place Hold.
  5. On the Search query page, complete the following fields:

    • Include all user mailbox content   Select this option to place all content in the selected mailboxes on hold. If you select this option, you can’t specify additional search criteria.

    • Filter based on criteria   Select this option to specify search criteria, including keywords, start and end dates, sender and recipient addresses, and message types.

      Configure eDiscovery Search Query
  6. On the In-place hold settings page, you can select the Place content matching the search query in selected mailboxes on hold check box, and then select one of the following options to place items on In-Place Hold:

    • Hold indefinitely   Select this option to place the returned items on an indefinite hold. Items on hold will be preserved until you remove the mailbox from the search or remove the search.

    • Specify number of days to hold items relative to their received date Use this option to hold items for a specific period. For example, you can use this option if your organization requires that all messages be retained for at least seven years. You can use a time-based In-Place Hold along with a retention policy to make sure items are deleted in seven years.

      ImportantImportant:
      When placing mailboxes or items on In-Place Hold for legal purposes, it is generally recommended to hold items indefinitely and remove the hold when the case or investigation is completed.
  7. Click Finish to save the search and return an estimate of the total size and number of items that will be returned by the search based on the criteria you specified. Estimates are displayed in the details pane. Click Refresh Refresh Icon to update the information displayed in the details pane.

This example creates the In-Place eDiscovery search Discovery-CaseId012 for items containing the keywords Contoso and ProjectA that also meet the following criteria:

  • Start date: 1/1/2009

  • End date: 12/31/2011

  • Source mailbox: DG-Finance

  • Target mailbox: Discovery Search Mailbox

  • Message types: Email

  • Log level: Full

ImportantImportant:
If you don’t specify additional search parameters when running an In-Place eDiscovery search, all items in the specified source mailboxes are returned in the results. If you don’t specify mailboxes to search, all mailboxes in your Exchange or Exchange Online organization are searched.
New-MailboxSearch "Discovery-CaseId012" -StartDate "1/1/2009" -EndDate "12/31/2011" -SourceMailboxes "DG-Finance" -TargetMailbox "Discovery Search Mailbox" -SearchQuery '"Contoso" AND "Project A"' -MessageTypes Email -IncludeUnsearchableItems -LogLevel Full

NoteNote:
When using the StartDate and EndDate parameters, you have to use the date format of mm/dd/yyyy, even if your local machine settings are configured to use a different date format, such as dd/mm/yyyy. For example, to search for messages sent between April 1, 2013 and July 1, 2013, you would use 04/01/2013 and 07/01/2013 for the start and end dates.

After using the Shell to create an In-Place eDiscovery search, you have to start the search by using the Start-MailboxSearch cmdlet to copy messages to the discovery mailbox specified in the TargetMailbox parameter. For details, see Copy eDiscovery Search Results to a Discovery Mailbox.

For detailed syntax and parameter information, see New-MailboxSearch.

After you create an In-Place eDiscovery search, you can use the EAC to get an estimate and preview of the search results. If you created a new search using the New-MailboxSearch cmdlet, you can use the Shell to start the search to get an estimate of the search results. You can’t use the Shell to preview messages returned in search results.

  1. Navigate to Compliance management > In-place eDiscovery & hold.

  2. In the list view, select the In-Place eDiscovery search, and then click Search Search Icon.

  3. From the search list, select one of the following options:

    • Estimate search results   Select this option to return an estimate of the total size and number of items that will be returned by the search based on the criteria you specified. Selecting this option restarts the search and performs an estimate.

      Search Estimates are displayed in the details pane. Click Refresh Refresh Icon to update the information displayed in the details pane.

    • Preview search results   Select this option to preview the results. Selecting this option opens the eDiscovery search preview window. All messages returned from the mailboxes that were searched are displayed.

      NoteNote:
      The mailboxes that were searched are listed in the right pane in the eDiscovery search preview window. For each mailbox, the number of items returned and the total size of these items is also displayed. All items returned by the search are listed in the right pane, and can be sorted by newest or oldest date. Items from each mailbox can’t be displayed in the right pane by clicking a mailbox in the left pane. To view the items returned from a specific mailbox, you can copy the search results and view the items in the discovery mailbox.

You can use the EstimateOnly switch to return only get an estimate of the search results and not copy the results to a discovery mailbox. You have to start an estimate-only search with the Start-MailboxSearch cmdlet. Then you can retrieve the estimated search results by using the Get-MailboxSearch cmdlet.

For example, you would run the following commands to create a new eDiscovery search and then display an estimate of the search results:

New-MailboxSearch "FY13 Q2 Financial Results" -StartDate "04/01/2013" -EndDate "06/30/2013" -SourceMailboxes "DG-Finance" -SearchQuery '"Financial" AND "Fabrikam"' -EstimateOnly -IncludeKeywordStatistics

Start-MailboxSearch "FY13 Q2 Financial Results"
Get-MailboxSearch "FY13 Q2 Financial Results"

To display specific information about the estimated search results from the previous example, you could run the following command:

Get-MailboxSearch "FY13 Q2 Financial Results" | FL Name,Status,LastRunBy,LastStartTime,LastEndTime,Sources,SearchQuery,ResultSizeEstimate,ResultNumberEstimate,Errors,KeywordHits

After you create a new eDiscovery search, you can copy search results to the discovery mailbox and export those search results to a PST file. For more information, see:

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.