by

Discovering a Contact with a Physique flag utilizing EWS and eDiscovery (eg added from Microsoft Lync)

Discovering a Contact with a Physique flag utilizing EWS and eDiscovery (eg added from Microsoft Lync) With the typical dimension of MailboxArchives getting bigger by the day eDiscovery on Alternate 2013 is beneficial for a broad array of duties. eDiscovery makes use of the KQL (Key phrase Question Language https://msdn.microsoft.com/EN-US/library/workplace/ee558911(v=workplace.15).aspx ) which lets you question for each free textual content and Queryable properties which have been listed by the Alternate retailer and it additionally permits the usage of some extra advanced operators comparable to proximity and Synonyms.

Let us take a look at a particular consumer case for eDiscover, the Lync shopper on 2013 will routinely add contacts to your Alternate Mailbox within the “Lync Contacts” folder and flag the physique of the contact with one thing like

2/02/2015 This contact was added from Microsoft Lync 2013 (15.0.4675.1000)

(if you wish to bind on to the Lync Contacts folder in 2013 it is best to have the ability to use the QuickContacts WellKnownFolder Enum eg

$folderid= new-object Microsoft.Alternate.WebServices.Knowledge.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::QuickContacts,$MailboxName)  
$LyncContacts = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($service,$folderid)

)

If you happen to needed to take a look at a Mailbox and discover all of the contacts that the place added by the Lync shopper no matter what folder that at the moment are situated in then eDiscovery is sweet choice. For this you would want to assemble a KQL question that first restricted the outcomes to Contacts solely utilizing

Type:contacts

Then add one other predicate to this question utilizing a Boolean And to carry out a freetext question for the phrase

added from Microsoft Lync

The rationale for utilizing a freetext question quite then a property question eg Physique:SearchPhrase is defined within the Notes part of https://technet.microsoft.com/en-us/library/jj983804%28v=exchg.150%29.aspx . Put merely the Physique property is searchable (out there in Freetext) however not Queryable (that means you are able to do a property restriction).

To make use of eDiscovery is EWS you might want to granted the Discovery Search RBAC function https://technet.microsoft.com/en-us/library/dd298059%28v=exchg.150%29.aspx

The next script does a eDiscovery of the Mailbox you enter as a commandline parameter for the KQL Type:contacts And “added from Microsoft Lync”. It then does a batch GetItem on the outcomes and validate the Physique of the contact to make sure its not False constructive and produce a csv report like

 
I’ve put a download of this script right here the script itself appears like
 
 


  1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
## Get the Mailbox to Entry from the first commandline argument

$MailboxName = $args[0]

$KQL = "Kind:contacts And `"added from Microsoft Lync`"";
$SearchableMailboxString = $MailboxName;

## Load Managed API dll
###CHECK FOR EWS MANAGED API, IF PRESENT IMPORT THE HIGHEST VERSION EWS DLL, ELSE EXIT
$EWSDLL = (($(Get-ItemProperty -ErrorAction SilentlyContinue -Path Registry::$(Get-ChildItem -ErrorAction SilentlyContinue -Path 'Registry::HKEY_LOCAL_MACHINESOFTWAREMicrosoftExchangeWeb Companies'|Kind-Object Title -Descending| Choose-Object -First 1 -ExpandProperty Title)).'Set up Listing') + "Microsoft.Exchange.WebServices.dll")
if (Check-Path $EWSDLL)
{
Import-Module $EWSDLL
}
else
{
"$(get-date -format yyyyMMddHHmmss):"
"This script requires the EWS Managed API 1.2 or later."
"Please download and install the current version of the EWS Managed API from"
"http://go.microsoft.com/fwlink/?LinkId=255472"
""
"Exiting Script."
exit
}

## Set Alternate Model
$ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Alternate2013_SP1

## Create Alternate Service Object
$service = New-Object Microsoft.Alternate.WebServices.Knowledge.ExchangeService($ExchangeVersion)

## Set Credentials to make use of two choices are availible Option1 to make use of explict credentials or Choice 2 use the Default (logged On) credentials

#Credentials Choice 1 utilizing UPN for the home windows Account
$psCred = Get-Credential
$creds = New-Object System.Web.NetworkCredential($psCred.UserName.ToString(),$psCred.GetNetworkCredential().password.ToString())
$service.Credentials = $creds
#$service.TraceEnabled = $true
#Credentials Choice 2
#service.UseDefaultCredentials = $true

## Select to disregard any SSL Warning points brought on by Self Signed Certificates

## Code From http://poshcode.org/624
## Create a compilation atmosphere
$Supplier=New-Object Microsoft.CSharp.CSharpCodeProvider
$Compiler=$Supplier.CreateCompiler()
$Params=New-Object System.CodeDom.Compiler.CompilerParameters
$Params.GenerateExecutable=$False
$Params.GenerateInMemory=$True
$Params.IncludeDebugInformation=$False
$Params.ReferencedAssemblies.Add("System.DLL") | Out-Null

$TASource=@'
namespace Native.ToolkitExtensions.Web.CertificatePolicy{
public class TrustAll : System.Web.ICertificatePolicy {
public TrustAll() {
}
public bool CheckValidationResult(System.Web.ServicePoint sp,
System.Safety.Cryptography.X509Certificates.X509Certificates cert,
System.Web.WebRequest req, int drawback) {
return true;
}
}
}
'@
$TAResults=$Supplier.CompileAssemblyFromSource($Params,$TASource)
$TAAssembly=$TAResults.CompiledAssembly

## We now create an occasion of the TrustAll and fasten it to the ServicePointManager
$TrustAll=$TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll")
[System.Net.ServicePointManager]::CertificatePolicy=$TrustAll

## finish code from http://poshcode.org/624

## Set the URL of the CAS (Shopper Entry Server) to make use of two choices are availbe to make use of Autodiscover to seek out the CAS URL or Hardcode the CAS to make use of

#CAS URL Choice 1 Autodiscover
$service.AutodiscoverUrl($MailboxName,{$true})
"Using CAS Server : " + $Service.url

#CAS URL Choice 2 Hardcoded

#$uri=[system.URI] "https://casservername/ews/exchange.asmx"
#$service.Url = $uri

## Non-obligatory part for Alternate Impersonation

#$service.ImpersonatedUserId = new-object Microsoft.Alternate.WebServices.Knowledge.ImpersonatedUserId([Microsoft.Exchange.WebServices.Data.ConnectingIdType]::SmtpAddress, $MailboxName)
perform ConvertToString($ipInputString){
$Val1Text = ""
for ($clInt=0;$clInt -lt $ipInputString.size;$clInt++){
$Val1Text = $Val1Text + [Convert]::ToString([Convert]::ToChar([Convert]::ToInt32($ipInputString.Substring($clInt,2),16)))
$clInt++
}
return $Val1Text
}


perform GetFolderPaths{
param (
$rootFolderId = "$( throw 'rootFolderId is a compulsory Parameter' )",
$Archive = "$( throw 'Archive is a compulsory Parameter' )"
)
course of{
#Outline Prolonged properties
$PR_FOLDER_TYPE = new-object Microsoft.Alternate.WebServices.Knowledge.ExtendedPropertyDefinition(13825,[Microsoft.Exchange.WebServices.Data.MapiPropertyType]::Integer);
$folderidcnt = $rootFolderId
#Outline the FolderView used for Export shouldn't be any bigger then 1000 folders attributable to throttling
$fvFolderView = New-Object Microsoft.Alternate.WebServices.Knowledge.FolderView(1000)
#Deep Transval will guarantee all folders within the search path are returned
$fvFolderView.Traversal = [Microsoft.Exchange.WebServices.Data.FolderTraversal]::Deep;
$psPropertySet = new-object Microsoft.Alternate.WebServices.Knowledge.PropertySet([Microsoft.Exchange.WebServices.Data.BasePropertySet]::FirstClassProperties)
$PR_Folder_Path = new-object Microsoft.Alternate.WebServices.Knowledge.ExtendedPropertyDefinition(26293, [Microsoft.Exchange.WebServices.Data.MapiPropertyType]::String);
#Add Properties to the Property Set
$psPropertySet.Add($PR_Folder_Path);
$fvFolderView.PropertySet = $psPropertySet;
#The Search filter will exclude any Search Folders
$sfSearchFilter = new-object Microsoft.Alternate.WebServices.Knowledge.SearchFilter+IsEqualTo($PR_FOLDER_TYPE,"1")
$fiResult = $null
#The Do loop will deal with any paging that's required if there are extra the 1000 folders in a mailbox
do {
$fiResult = $Service.FindFolders($folderidcnt,$sfSearchFilter,$fvFolderView)
foreach($ffFolder in $fiResult.Folders){
$foldpathval = $null
#Attempt to get the FolderPath Worth after which covert it to a usable String
if ($ffFolder.TryGetProperty($PR_Folder_Path,[ref] $foldpathval))
{
$binarry = [Text.Encoding]::UTF8.GetBytes($foldpathval)
$hexArr = $binarry | ForEach-Object { $_.ToString("X2") }
$hexString = $hexArr -join ''
$hexString = $hexString.Change("FEFF", "5C00")
$fpath = ConvertToString($hexString)
}
"FolderPath : " + $fpath
if($Archive){
$Script:FolderCache.Add($ffFolder.Id.UniqueId,"Archive-Mailbox" + $fpath);
}
else{
$Script:FolderCache.Add($ffFolder.Id.UniqueId,$fpath);
}
}
$fvFolderView.Offset += $fiResult.Folders.Depend
}whereas($fiResult.MoreAvailable -eq $true)
}
}

$Script:FolderCache = New-Object system.collections.hashtable
GetFolderPaths -rootFolderId (new-object Microsoft.Alternate.WebServices.Knowledge.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::MsgFolderRoot,$MailboxName)) -Archive $false
#GetFolderPaths -rootFolderId (new-object Microsoft.Alternate.WebServices.Knowledge.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::ArchiveMsgFolderRoot,$MailboxName)) -Archive $true

$gsMBResponse = $service.GetSearchableMailboxes($SearchableMailboxString, $false);
$msbScope = New-Object Microsoft.Alternate.WebServices.Knowledge.MailboxSearchScope[] $gsMBResponse.SearchableMailboxes.Size
$mbCount = 0;
foreach ($sbMailbox in $gsMBResponse.SearchableMailboxes)
{
$msbScope[$mbCount] = New-Object Microsoft.Alternate.WebServices.Knowledge.MailboxSearchScope($sbMailbox.ReferenceId, [Microsoft.Exchange.WebServices.Data.MailboxSearchLocation]::All);
$mbCount++;
}
$smSearchMailbox = New-Object Microsoft.Alternate.WebServices.Knowledge.SearchMailboxesParameters
$mbq = New-Object Microsoft.Alternate.WebServices.Knowledge.MailboxQuery($KQL, $msbScope);
$mbqa = New-Object Microsoft.Alternate.WebServices.Knowledge.MailboxQuery[] 1
$mbqa[0] = $mbq
$smSearchMailbox.SearchQueries = $mbqa;
$smSearchMailbox.PageSize = 100;
$smSearchMailbox.PageDirection = [Microsoft.Exchange.WebServices.Data.SearchPageDirection]::Subsequent;
$smSearchMailbox.PerformDeduplication = $false;
$smSearchMailbox.ResultType = [Microsoft.Exchange.WebServices.Data.SearchResultType]::PreviewOnly;
$srCol = $service.SearchMailboxes($smSearchMailbox);
$rptCollection = @()

if ($srCol[0].End result -eq [Microsoft.Exchange.WebServices.Data.ServiceResult]::Success)
{
Write-Host ("Items Found " + $srCol[0].SearchResult.ItemCount)
if ($srCol[0].SearchResult.ItemCount -gt 0)
{
do
{
$smSearchMailbox.PageItemReference = $srCol[0].SearchResult.PreviewItems[$srCol[0].SearchResult.PreviewItems.Size - 1].SortValue;
$sort = ("System.Collections.Generic.List"+'`'+"1") -as "Type"
$sort = $sort.MakeGenericType("Microsoft.Exchange.WebServices.Data.ItemId" -as "Type")
$BatchItemids = [Activator]::CreateInstance($sort)
$psPropset= new-object Microsoft.Alternate.WebServices.Knowledge.PropertySet([Microsoft.Exchange.WebServices.Data.BasePropertySet]::FirstClassProperties)
foreach ($PvItem in $srCol[0].SearchResult.PreviewItems) {
$BatchItemids.Add($PvItem.Id)
}
$psPropset= new-object Microsoft.Alternate.WebServices.Knowledge.PropertySet([Microsoft.Exchange.WebServices.Data.BasePropertySet]::FirstClassProperties)
$Outcomes = $service.BindToItems($BatchItemids,$psPropset)
foreach($End result in $Outcomes){
if($End result.Merchandise.Physique.Textual content -ne $null){
if($End result.Merchandise.Physique.Textual content.Comprises("This contact was added from Microsoft Lync")){
$rptObj = "" | choose FolderPath,Topic,ImAddress1,ImAddress2,ImAddress3
$rptObj.ImAddress1 = $End result.Merchandise.ImAddresses[[Microsoft.Exchange.WebServices.Data.ImAddressKey]::ImAddress1]
$rptObj.ImAddress2 = $End result.Merchandise.ImAddresses[[Microsoft.Exchange.WebServices.Data.ImAddressKey]::ImAddress2]
$rptObj.ImAddress3 = $End result.Merchandise.ImAddresses[[Microsoft.Exchange.WebServices.Data.ImAddressKey]::ImAddress3]
$rptObj.Topic = $End result.Merchandise.Topic
if($Script:FolderCache.ContainsKey($End result.Merchandise.ParentFolderId.UniqueId)){
$rptObj.FolderPath = $Script:FolderCache[$End result.Merchandise.ParentFolderId.UniqueId]
}
$rptCollection += $rptObj
}
}
}

$srCol = $service.SearchMailboxes($smSearchMailbox);
Write-Host("Items Remaining : " + $srCol[0].SearchResult.ItemCount);
} whereas ($srCol[0].SearchResult.ItemCount-gt 0 );

}

}
$rptCollection
$rptCollection | Export-Csv -NoTypeInformation -Path c:tempAddedByLync.csv