none
Can I run a Discovery Search for emails sent to external addresses and exclude our local domain?

    Frage

  • We need to run a discovery search based on keywords AND from internal users sending to external addresses. We don't care about any emails they sent between each other internally.

    Is there a way in the ECP Discovery Search to add some sort of parameter that says to not search "local.com" domain show it only shows emails that were sent to external addresses from these users?

    Thanks,

    Stephen

    Freitag, 17. Februar 2012 18:40

Antworten

  • Hi slammers25,

    Any updates?

    If you want to add more than one local domain, please try the following cmdlet:

    -SearchQuery "keyword1 OR keyword2 OR keywordX NOT to:@yourdomain.com NOT to:yourdomain2.com"

    Please run the cmdlet against one test mailbox first.


    Frank Wang

    TechNet Community Support

    • Als Antwort markiert slammers25 Dienstag, 28. Februar 2012 14:45
    Montag, 27. Februar 2012 03:20

Alle Antworten

  • Hi,

    I think you can use the Search-Mailbox cmdlet for your task,

    http://technet.microsoft.com/en-us/library/dd298173.aspx ,

    or the Get-MessageTrackingLog cmdlet,

    http://technet.microsoft.com/en-us/library/aa997573.aspx

    BR,

    Andrey


    Andrey Podlesnykh | MCTS: Microsoft Exchange Server 2007/2010 | MCSA

    Freitag, 17. Februar 2012 19:40
  • Is there a specific parameter you would use to exclude our local domain address? I don't see anything on those links that are jumping out at me...

    Thanks again,

    Stephen

    Freitag, 17. Februar 2012 19:50
  • For example,

    Get-TransportServer -Identity Your-HUB-Server | Get-MessageTrackingLog -resultsize unlimited |where-object {$_.Recipients -notlike "*@your-local-domain.com"  AND $_.EventId -eq "Send"} | ft

    , or

    Get-Mailbox -Identity Mailbox-Name | New-MailboxSearch -Name Search-Name -TargetMailbox Any-Mailbox-For-Search-Results| Where {$_.Recipients -notlike "*@your-local-domain.com"}


    Andrey Podlesnykh | MCTS: Microsoft Exchange Server 2007/2010 | MCSA








    Freitag, 17. Februar 2012 21:01
  • Hi,

    what do you want to use as a source of the search? If you want to use the messagetrackinglog this would help

    
    [datetime]$start="02/17/2012"
    [datetime]$end=$start.adddays(1)
    get-transportserver | get-messagetrackinglog -start $start -end $end | where-object {$_.recipients -not
    ike "*yourdomain"}


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

    Freitag, 17. Februar 2012 21:32
  • Initially I was hoping to use the ECP and use the GUI Discovery Tool. But it appears it doesn't give me this functionality.

    So here are my requirements if this helps to point me in the right direction:

    1. I have 60 mailboxes to search out of 1000.

    2. I have to search these 60 mailboxes for email activity since December 1, 2011

    3. I have about 20 keywords to look for.

    4. Searching for any emails with the above parameters that they sent to external addresses. No internal emails.

    Freitag, 17. Februar 2012 21:57
  • Hi,

    it´s not possible using the GUI so you have to use the Exchagne Shell in orderr to get this information. But if you want to check the content of your mailboxes think about security and data privacy. I think searching the content of your mailboxes is not legal even if your boss told you to get this data. I think in this case you should tell your boss thats not legel and ask him to give the work order in writing.


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

    Samstag, 18. Februar 2012 13:18
  • Hi,

    it´s not possible using the GUI so you have to use the Exchagne Shell in orderr to get this information. But if you want to check the content of your mailboxes think about security and data privacy. I think searching the content of your mailboxes is not legal even if your boss told you to get this data. I think in this case you should tell your boss thats not legel and ask him to give the work order in writing.


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

    We have a company email policy that every employee signs that email is company property. Its legal.
    Sonntag, 19. Februar 2012 01:52
  • Laws vary from country to country. In some, what slammer25 wants to do is perfectly legal (with or without employee consent, which he has obtained).
    Sonntag, 19. Februar 2012 02:15
  • Initially I was hoping to use the ECP and use the GUI Discovery Tool.

    Hi slammers25,

    You can use the cmdlet New-MailboxSearch with parameter -SearchQuery

    For example:

    -SearchQuery "keyword1 OR keyword2 OR keywordX NOT to:@yourdomain.com"


    Frank Wang

    TechNet Community Support

    Dienstag, 21. Februar 2012 06:47
  • Hi slammers25,

    Any updates?


    Frank Wang

    TechNet Community Support

    Donnerstag, 23. Februar 2012 03:26
  • Sorry Frank, I haven't had time to try your method yet. I'll try to do this today or tomorrow and report back. Is there the ability to add nore than one domain after the "NOT" parameter? We have more than one local domain...
    Donnerstag, 23. Februar 2012 13:18
  • Hi slammers25,

    Any updates?

    If you want to add more than one local domain, please try the following cmdlet:

    -SearchQuery "keyword1 OR keyword2 OR keywordX NOT to:@yourdomain.com NOT to:yourdomain2.com"

    Please run the cmdlet against one test mailbox first.


    Frank Wang

    TechNet Community Support

    • Als Antwort markiert slammers25 Dienstag, 28. Februar 2012 14:45
    Montag, 27. Februar 2012 03:20
  • Hi slammers25,

    Any updates?


    Frank Wang

    TechNet Community Support

    Dienstag, 28. Februar 2012 01:57
  • The "NOT to:" feature worked in the power shell. Thanks Frank!
    Dienstag, 28. Februar 2012 14:45