Trade EWS eDiscovery Powershell Module

Trade EWS eDiscovery Powershell Module eDiscovery is without doubt one of the extra helpful options launched in Trade 2013, and affords a fast and highly effective means of Looking out and reporting on Objects in a Mailbox or throughout a number of mailboxes on an Trade Server or in Trade On-line. On this publish I wished to rollup a couple of eDiscovery scripts I posted previously to a extra consumer pleasant and expandable PowerShell module.

eDiscovery makes use of KQL (Key phrase Question Language) to search listed properties that are listed on https://technet.microsoft.com/en-us/library/dn774955(v=exchg.150).aspx . For doing fast reporting with eDiscovery you possibly can inform Trade to solely return the quantity (and measurement) of the gadgets that match your KQL question. In any other case Trade will return preview gadgets (200 at time) which implies the question can take a while to finish in case your enumerating although a big consequence set.

I’ve tried to take a really modular strategy with the code on this module to make it simpler to increase

Permissions – The eDiscovery elements of this module requires the account that’s operating the script be a member of the Discovery Search RBAC position see . The code that will get the FolderPath does require the consumer operating the script have rights to the Mailbox or EWS Impersonation rights.

Listed here are what the cmdlet’s within the Module can do in the intervening time

 Get-MailboxItemStats

That is only a generic cmdlet you possibly can both enter in some KQL to make a question or coming into in a Begin and Finish Date to create a report of Objects in a explicit Date Vary eg to indicate e-mail from the Final month

Get-MailboxItemStats -MailboxName Mailbox@area.com -Begin (Get-Date).AddDays(-31) -Finish (Get-Date)

this may present outcomes like

In the event you use the FolderPath change this may as a substitute present a folderlevel view of the outcomes to get the folder checklist it should use the previewItems that are slower to retrieve eg

Get-MailboxItemStats -MailboxName Mailbox@area.com -Begin (Get-Date).AddDays(-31) -Finish (Get-Date) -FolderPath

would yield a outcomes like

 Get-MailboxItemTypeStats

That is from one in all my earlier posts and returns a listing of ItemTypes in a Mailbox, I’ve added a parameter so you are able to do a question on only one itemtype as properly. So operating it like this is able to yield a report of the Contacts in a Mailbox and the place they’re positioned

 Get-MailboxConversationStats

This allows you to report on the From,To,CC and BCC fields of a message with Trade these fields are listed within the Members property (in addition to there personal key phrases for Recipients, to and so on). Some cool issues you are able to do with that is question Mailbox Visitors to and from a selected area eg

In the event you then need to know extra about one explicit recipient kind you possibly can take the worth within the Title property and use that in Get-MailboxItemTypeStats eg

Attachments

One of many extra helpful issues that you are able to do with this module is search and download attachments from a Mailbox utilizing eDiscovery which you’ll’t simply automate within the eDiscovery Console. So I’ve received a couple of completely different choices for this. First I’ve

Get-AttachmentTypeMailboxStats

This works just like the ItemType cmdlet in that it makes use of doing a number of OR queries on a listing of attachment sorts. By default if you happen to do not move in an array of Attachmenttypes to question I’ve a listing of eight frequent sorts so it should produce a report like this

If you wish to run a question primarily based on one AttachmentType throughout folders you need to use one thing like the next

Or restrict it to 1 explicit Attachment Title

Get-MailboxAttachments 

You’ll be able to download attachments utilizing this cmdlet eg

If Trade on-line you probably have reference Attachments positioned in One Drive the module does have code to detect and download these utilizing the sharepoint consumer libraries. You do want to vary the model in

$ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Trade2013_SP1

to

$ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Trade2015

I’ve put the Module up on GitHub https://github.com/gscales/Powershell-Scripts/tree/grasp/eDiscovery

You’ll be able to download a replica of the script from right here I’ve embrace a compile model of the newest model of the Managed API which embrace the replace to course of reference attachments.

Leave a Reply