Scripting Powershell for Exchange E-Discovery

Note: this is not legal advice, and no warranty is implied or expressed. Your legal department should provide specific guidance as to search terms and derivatives/variations, mailboxes/persons in question, start dates, end dates, etc.

In the past, I was tasked with performing E-Discovery in Microsoft Exchange for many search terms in many mailboxes. I decided Powershell would be the right tool for this job. However, I encountered errors with performing the searches for as many terms as I was looking for. Searches of a multiple gigabyte mailboxes would end in seconds and produce no results, for terms I knew were present. Instead of fighting with the errors and limitations of the cmdlet, I decided to make a script with a foreach loop.

Firstly, if required or deemed appropriate by management or legal, place a retention/legal hold on the mailboxes in question, which seeks to prevent Outlook and Exchange purge and cleanup processes from potentially damaging or destroying items. The basic usage would be:

Set-Mailbox -Identity ‘mailboxalias’ -RetentionHoldEnabled $true

(https://blogs.technet.microsoft.com/ediscovery/2008/07/14/hold-me-now-how-to-quickly-put-a-retention-hold-on-1400-employees-using-microsoft-exchange-2007/)

This script expects a file named terms.txt in the same directory as it is run, with a list of terms on their own line, single quoted, with punctuation marks escaped with a backtick. For example:

‘Acme Corporation, LLC.’

‘Contoso’

This script will prompt the script runner for input such as:

mailbox name – this is the mailbox alias (hint: get-mailbox)

start date – the date from which to start looking for matching terms, this is in MM/DD/YYYY format.

end date – see above

export mailbox – the mailbox to which you would like to export the items, I generally chose my own or a dedicated mailbox for this purpose. This is in address@domain.tld format.

Bad Item Limit – There is nothing worse than a scripted search aborting after 12 hours because a few corrupted items were encountered. I recommend setting this to 100.

Matched items will be placed in a subfolder named after the date and the mailbox alias of the account being searched, and items including the terms will all be merged in this folder.

This script was tested on a computer with the Exchange Admin Console installed, with an account that was an Exchange Organization Administrator, with local administrator rights on all Exchange servers, and with full permissions to the mailboxes in question.

It’s not perfect, and there is plenty of room for improvement, but it did the job.

20170224-Export-TermsList-Prompts