Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Create an In-Place eDiscovery search in Exchange 2016


Applies to: Exchange Server 2016

Topic Last Modified: 2015-09-08

Use In-Place eDiscovery in Exchange 2016 to search across all mailboxes and public folders in your Exchange 2016 organization. This includes searching permanently deleted items and original versions of modified items (in the Recoverable Items folder) for users placed on Litigation Hold or In-Place Hold.

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "In-Place eDiscovery" entry in the Messaging policy and compliance permissions topic.

  • To create eDiscovery searches, you have to have an SMTP address in the organization that you’re creating the searches in. In an Exchangehybrid organization, your on-premises Exchange mailbox must have a corresponding mail user account in your Office 365 organization so that you can search cloud-based mailboxes. Or, if you sign in with an account that only exists in Office 365, such as the tenant administrator account, that account must be assigned an Exchange Onlinelicense.

  • Exchange 2016 Setup creates a Discovery mailbox called Discovery Search Mailbox to copy search results. You can create additional Discovery mailboxes. For details, see Create a discovery mailbox.

  • When you create a search, messages returned in search results aren’t copied automatically to a discovery mailbox. After you create the search, you can use the Exchange admin center (EAC) to estimate and preview search results or copy them to a discovery mailbox. You can also export the search results to a .pst file. For details, see:

You can use the EAC or the Shell to create eDiscovery searches. In Exchange 2016, you can search mailboxes and public folders.

As previously explained, to create eDiscovery searches, you have to sign in to a user account that has an SMTP address in your organization.

  1. Go to Compliance management > In-place eDiscovery & Hold, and then click New Add icon.

  2. In the New In-Place eDiscovery & Hold window, on the Name and description page, type a name for the search, add an optional description, and then click Next.

  3. On the Mailboxes and Public folders page, select the content sources to search:

    • To include all mailboxes in the search, click Search all mailboxes. If you select this option, you won't be able to enable an In-Place Hold for the search.

    • To exclude mailboxes from the search (and search only public folders), click Don't search any mailboxes.

    • To include specific mailboxes in the search, click Specify mailboxes to search, and then add that mailboxes that you want to search.

    • To include public folders in the search (or to place public folders on hold), click Search all public folders. For more information about searching public folders, see Search public folders using In-Place eDiscovery.

    Use In-Place eDiscovery to search and place a hold on public folders
  4. On the Search query page, complete the following fields:

    • Include all content   Select this option to place all content in the selected mailboxes on hold. If you select this option, you can’t specify additional search criteria.

    • Filter based on criteria   Select this option to specify search criteria, including keywords, start and end dates, sender and recipient addresses, and message types. For more information about search queries, see Message properties and search operators for In-Place eDiscovery in Exchange 2016.

      Configure an eDiscovery search query
  5. On the In-Place Hold settings page, you can select the Place content matching the search query in selected sources on hold check box, and then select one of the following options to place items on In-Place Hold:

    • Hold indefinitely   Select this option to place the returned items on an indefinite hold. Items on hold will be preserved until you remove the content source from the search or if you delete the search.

    • Specify number of days to hold items relative to their received date Use this option to hold items for a specific period. For example, you can use this option if your organization requires that all messages be retained for at least seven years. You can use a time-based In-Place Hold along with a retention policy to make sure items are deleted in seven years.

      When placing content sources or specific items on In-Place Hold for legal purposes, it's generally recommended to hold items indefinitely and remove the hold when the case or investigation is completed.
  6. Click Finish to save the search and return an estimate of the total size and number of items that will be returned by the search based on the criteria you specified. Estimates are displayed in the details pane. Click Refresh Refresh icon to update the information displayed in the details pane.

Here are three examples of using the Shell to search and place a hold on content in mailboxes and public folders. For detailed syntax and parameter information about using the Shell to create eDiscovery searches, see New-MailboxSearch

This example creates the search Discovery-CaseId012 for items containing the keywords Contoso and ProjectA. The search results are place on In-Place hold, with an unlimited hold duration. The search also includes the following criteria:

  • Start date: 1/1/2009

  • End date: 12/31/2011

  • Source mailbox: DG-Finance

  • Target mailbox: Discovery Search Mailbox

  • Message types: Email

  • Log level: Full

If you don’t specify a search query, a date range, or a message type, all items in the source mailboxes or public folders are returned in the results. The results would be similar to selecting Include all content on the Search query page in the EAC.
New-MailboxSearch "Discovery-CaseId012" -StartDate "1/1/2009" -EndDate "12/31/2011" -SourceMailboxes "DG-Finance" -TargetMailbox "Discovery Search Mailbox" -SearchQuery '"Contoso" AND "Project A"' -MessageTypes Email -IncludeUnsearchableItems -LogLevel Full -InPlaceHoldEnabled $true

Start-MailboxSearch "Discovery-CaseId012"

After using the Shell to create an In-Place eDiscovery search, you have to start the search by using the Start-MailboxSearch cmdlet to copy messages to the discovery mailbox specified in the TargetMailbox parameter. For details, see Copy eDiscovery search results to a discovery mailbox in Exchange 2016.

When using the StartDate and EndDate parameters, you have to use the date format of mm/dd/yyyy, even if your local machine settings are configured to use a different date format, such as dd/mm/yyyy. For example, to search for messages sent between April 1, 2013 and July 1, 2013, you would use 04/01/2015 and 07/01/2015 for the start and end dates.

This example creates an estimate-only search that searches all public folders in the organization for items sent between January 1, 2015 and June 30, 2015, and that contain the phrase "patent infringement". The search doesn't include any mailboxes. The Start-MailboxSearch cmdlet is used to start the estimate-only search.

New-MailboxSearch -Name "Northwind Subpoena-All PFs" -AllPublicFolderSources $true -AllSourceMailboxes $false -SearchQuery "patent infringement" -StartDate "01/01/2015" -EndDate "06/30/2015" -TargetMailbox "Discovery Search Mailbox" -EstimateOnly
Start-MailboxSearch "Northwind Subpoena-All PFs"

This example searches all mailboxes and public folders for any content that contains the words "price list" and "Contoso" and that was sent after January 1, 2015. The Start-MailboxSearch cmdlet is use to run the search and copy the search results to the discovery mailbox.

New-MailboxSearch -Name "Contoso Litigation" -AllSourceMailboxes $true -AllPublicFolderSources $true -SearchQuery '"price list" AND "contoso"' -StartDate "01/01/2015" -TargetMailbox "Discovery Search Mailbox"
Start-MailboxSearch "Contoso Litigation"

After you create an eDiscovery search, you can use the EAC to get an estimate and preview of the search results. If you created a new search using the New-MailboxSearch cmdlet, you can use the Shell to start the search to get an estimate of the search results. You can’t use the Shell to preview messages returned in search results.

  1. Go to Compliance management > In-Place eDiscovery & Hold.

  2. In the list view, select the search, and then do one of the following:

    • Click Search Search icon > Estimate search results to return an estimate of the total size and number of items that will be returned by the search based on the criteria you specified. Selecting this option restarts the search and performs an estimate.

      Search estimates are displayed in the details pane. Click Refresh Refresh icon to update the information displayed in the details pane.

    • Click Preview search results in the details pane to preview the results after the search estimate is completed. Selecting this option opens the eDiscovery search preview window. All messages returned from the mailboxes or public folders that were searched are displayed.

      The mailboxes or public folders that were searched are listed in the right pane in the eDiscovery search preview window. For each source, the number of items returned and the total size of these items is also displayed. All items returned by the search are listed in the right pane, and can be sorted by newest or oldest date. Items from each mailbox or public folder can’t be displayed in the right pane by clicking a source in the left pane. To view the items returned from a specific mailbox or public folder, you can copy the search results and view the items in the discovery mailbox.
    Estimate or Preview Search Results

You can use the EstimateOnly switch to get an estimate of the search results and not copy the results to a discovery mailbox. You have to start an estimate-only search with the Start-MailboxSearch cmdlet. Then you can retrieve the estimated search results by using the Get-MailboxSearch cmdlet.

For example, you would run the following commands to create a new search and then display an estimate of the search results:

New-MailboxSearch "FY13 Q2 Financial Results" -StartDate "04/01/2013" -EndDate "06/30/2013" -SourceMailboxes "DG-Finance" -SearchQuery '"Financial" AND "Fabrikam"' -EstimateOnly -IncludeKeywordStatistics

Start-MailboxSearch "FY13 Q2 Financial Results"
Get-MailboxSearch "FY13 Q2 Financial Results"

To display specific information about the estimated search results from the previous example, you could run the following command:

Get-MailboxSearch "FY13 Q2 Financial Results" | FL Name,Status,LastRunBy,LastStartTime,LastEndTime,Sources,SearchQuery,ResultSizeEstimate,ResultNumberEstimate,Errors,KeywordHits

  • After you create a new eDiscovery search, you can copy search results to the discovery mailbox and export those search results to a PST file. For more information, see:

  • After you run an eDiscovery search estimate (that includes keywords in the search criteria), you can view keyword statistics by clicking View keyword statistics in the details pane for the selected search. These statistics show details about the number of items returned for each keyword used in the search query. However, if more than 100 source mailboxes are included in the search, an error will be returned if you try to view keyword statistics. To view keyword statistics, no more than 100 source mailboxes can be included in the search.

  • If you use Get-MailboxSearch in Exchange Online to retrieve information about an eDiscovery search, you have to specify the name of a search to return a complete list of the search properties; for example, Get-MailboxSearch "Contoso Legal Case". If you run the Get-MailboxSearch cmdlet without using any parameters, the following properties aren’t returned:

    • SourceMailboxes

    • Sources

    • PublicFolderSources

    • SearchQuery

    • ResultsLink

    • PreviewResultsLink

    • Errors

    The reason is that it requires a lot of resources to return these properties for all eDiscovery searches in your organization.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft