Home » Tech » Compliance Search in Exchange 2016
Tech

Compliance Search in Exchange 2016

author
Published By Nilesh
Aswin Vijayan
Approved By Aswin Vijayan
Published On July 6th, 2019
Reading Time 4 Minutes Reading

In the present arena, there is a tremendous update in technology. Every organization wants to be ahead and upgraded. There are regular changes in some or the other application. One such change can be seen in Exchange Server. Users were using the Search-Mailbox option to delete any doubtful spam emails spread in the organization till Exchange 2013. However, a new technique is introduced to search and remove messages in exchange 2016 compliance search using New-ComplianceSearch cmdlet.

When New-ComplianceSearch is used for the process of searching, users can search as many numbers of mailboxes as required without any limitations within a single search. When users do the searching, with the help of Search- Mailbox, then approximately 10,000 mailboxes can be searched in a single search. Search-Mailbox can still be used in Exchange 2016 servers to explore the mailbox as it is applicable in Exchange 2016. Let us discuss a scenario to know that when a user or organization use New-ComplianceSearch

“Suppose you are assigned with a work to search all mailboxes to identify some specific custodians that are responsible for a legal case. Then, in this case, you can use the New-ComplianceSearch cmdlet and investigate all the mailboxes in your organization to recognize those who are actually responsible for it.”

How to Create Exchange 2016 Compliance Search

This is an example to create Compliance search in Exchange 2016:

New-ComplianceSearch -Name “New Phishing Message” -ExchangeLocation “All”

Parameters, which are permissible, are few of them, but users require at least these two for better search:

  • ContentMatchQuery – The ContentMatchQuery parameter indicates a search filter for content and uses the KQL, which stands for Keyword Query Language

For Instance:

New-ComplianceSearch -Name “Remove Phishing Message” -ExchangeLocation “All” -ContentMatchQuery “‘virus’ AND ‘your account closure’”

  • ExchangeLocation – It indicates the location, which is considered for the searching
  • Accepted values are:
  1. Particular Mailbox can be stated
  2. A distribution group can be stated
  3. All – Mentioning this means that users can see all mailboxes.
  • Force – This is an important command as by mentioning this only, users can execute the command.
  • Set-ComplianceSearch– With users can modify the created command.

Note: At the times when a new compliance search is generated, a shadow ediscovery search will be produced in In-Place eDiscovery & grip page in the EAC. However, the status will not start and users can run Get-MailboxSearch as well to see this.

It is recommended by Microsoft to remove this automatically created shadow In-Place eDiscovery search. In spite of this, run the script provided by the Microsoft given in the page of New-compliance search. This will change an already accessible compliance search to an In-Place eDiscovery search. Therefore, when users run Get-ComplianceSearch, they need to see the Compliances that have been produced. However, when users run Get-MailboxSearch, they should not witness any shadow in-placediscovery, which was formed for them.

This is the procedure as mentioned below:

  • Firstly, create a new compliance search
  • Then, remove the shadow ediscovery, which is created for the new compliance search.
  • Now, run the command script according to the images given below.

step1

step2

  • After this, begin the In-Place eDiscovery search – Start-MailboxSearch
  • Make an In-Place Hold and copy the search results
  • Now, export the search results
  • Use New-ComplianceSearchAction -SearchName “Remove Phishing Message” -Purge -PurgeType SoftDelete and remove the message.

Tips:
When users run the compliance search ps1 script given by Microsoft, they should put in the value of the new compliance. During the creation of inplace hold, it is better to put in the value of all the fields that are available. Once the search is finished, there is an option to preview the search results by using delegated admin account. After this, the data can be migrated as PST. Use New-ComplianceSearchAction command to remove the emails.

Some More Information about Exchange Online Compliance Search

New-ComplianceSearch is limited in deleting 10 emails only per mailbox at a time using a single command. Although, there is no limit set for the searching. This means users can search as many mailboxes without bothering about the number. Search-Mailbox has the limit to delete 10000 emails per mailbox at a time with the help of a single command.

Important Note: New-MailboxSearch command will no longer be accessible on Office 365 from July 2017 as per TechNet source.

Conclusion

As we have discussed above, this new feature of Exchange 2016 Compliance Search permits users to search all the mailboxes in an organization without any number limitation. This Compliance Search proves to be helpful in the scenarios where the wide searching is required. Therefore, considering all these things we have learned the method to create a Compliance Search in Exchange using New-ComplianceSearch cmdlet. It can also be concluded that this new technique is a useful thing, which is added in Microsoft Exchange.