locked
Search-Mailbox not working properly RRS feed

  • Question

  • Hi all,

    I have an issue with a command that I am trying to use to delete specific emails from mailboxes.

    I have a script which deletes emails older than 7 days if matching the conditions.

    This script must be automated via a scheduled task so I have to use a variable to define the date in the script.

    For this to work, I have to include the -SearchQuery parameter in a scriptblock or it won't recognize the date variable in the query.

    It looks something like this:

    $Search = [scriptblock]::create("Received:2018-01-01..$Today AND (subject:(rejected transfer*) OR subject:(credit debit card error*) OR subject:(payment transfer*) OR subject:(rejected payment*) OR subject:(cancelled cheques*))")

    There are 36 conditions added to this script block, but didn't want to make this post too long.

    The strange thing is - it is working fine in Exchange Online Powershell - it does show results.

    But when I run the exact same script on the on-premise Exchange 2013 environment, it does not find anything even if it should, as I checked some mailboxes manually.

    As far as I know the Search-Mailbox cmdlet should work the same way in both environments.

    The appropriate access is granted for the user who runs the script.

    Do you have any idea what is the problem?

    Thank you!

    Thursday, December 13, 2018 1:05 PM

All replies

  • Well the EMS is generally speaking different compared to "plain" remote PowerShell, so try it with a new PS window, do a remote session and run the cmdlet there.
    Thursday, December 13, 2018 7:21 PM
  • Hi RobKTCIS,

    Based on my testing, "-SearchQuery" parameter takes different forms in different versions of Exchange on-premise, there has a little difference.

    I would suggest you extracted "Search-Mailbox -Identity "xxx" -SearchQuery xxx " from this script you used, then running it in EMS separately, make sure it could run successfully in EMS, then add it to script again.

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, December 14, 2018 8:02 AM
  • Hi Vasil,

    I have tried it but it is still giving 0 results. I guess I have to completely re-think the current conditions.

    When I use EMS on the Exchange server, it is acting weird.

    I tried to run the cmdlet just with 2 conditions, date + 1 subject. The date filtering works fine, however the results don't really match the subject I entered.

    For example when I use the following SearchQuery condition there are 78 matches for a certain mailbox and the log file shows about 4-5 emails only with the word "rejected" in the subject:

    $Search = [scriptblock]::create("Received:2018-01-01..$Today AND subject:(rejected)")

    Other strange thing.

    When I add further conditions to this query, only the last condition of the scriptblock will be found:

    $Search = [scriptblock]::create("Received:2018-01-01..$Today AND (subject:(restriction) OR subject:(rejected))")

    It will show the same 78 results again. When I search for the "restriction" subject only, it offers 62 results and compared them with the 78 results, couldn't find a single email which has the same subject.

    So in my view, it should find 140 results.

    Regards

    Robert

    Friday, December 14, 2018 1:09 PM
  • Hi Kyle,

    I have tried it in EMS and got the results what I sent to Vasil above.

    Regards

    Robert

    Friday, December 14, 2018 1:16 PM
  • Hi RobKTCIS,

    Do you mean, you could run this command successfully, however, this search result is not as expected.

    Which time do you used to search mails? Did you try to search mails with UTC time rather than local machine time?

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, December 20, 2018 11:54 AM
  • Hi Kyle,

    Sorry for the delay.

    Yes, the command runs successfully but the results were not as expected.

    I performed further tests and it seems like there's an issue with the order of the punctuation marks within the query. I also stopped using the defined date variable and the scriptblock, maybe that caused the problem.

    It looks something like this now:

    $Search = 'received<"this week" AND ((subject:"subject1" subject:"subject2" subject:"subject3") OR (from:"xyz") OR (to:"xyz"))'

    If I run it every Sunday, then it will only delete emails older than 7 days.

    And it seems working this way. Not sure why it wasn't working with the original command, looks like this command works differently in the Exchange Online and On-premises environment.

    Thank you both for your help!

    Best regards

    Robert

    Wednesday, January 2, 2019 10:56 AM