none
ComplianceSearchAction -purge does not delete anything RRS feed

  • Question

  • Hi guy,

    I'm stuck with the "cleanup" action of Exchange 2016. First, understand the strange behavior of Get-ComplianceSearch:
    https://social.technet.microsoft.com/Forums/office/en-US/2e7b5fc6-4b6b-4906-a438-3de8c219f18e/a-bug-in-getcompliancesearch-?forum=Exch2016PS

    I want to delete some phishing e-mail from mailboxes (of all organization). I'm following this technet :
    https://technet.microsoft.com/en-us/library/ff459253(v=exchg.160).aspx

    No problem until Get-ComplianceSearch, my search has two results : 

    [PS]Get-ComplianceSearch test3 | fl name,status,item*,job*,include* Name : test3 Status : Completed Items : 2 JobStartTime : 22.08.2017 12:41:15 JobEndTime : 22.08.2017 12:41:16 JobOptions : 0 JobProgress : 100

    IncludeUnindexedItems : True

    Now I want to delete this items, so :

    [PS] New-ComplianceSearchAction -SearchName test3 -Purge -PurgeType SoftDelete
    
    Are you sure : Y

    Then I check my "result search action" :

    [PS] Get-ComplianceSearchaction | fl searchname,results,name,*job*
    
    
    SearchName          : test3
    Results             : Purge Type: SoftDelete; Item count: 0, Total size 0, Details: {}
    Name                : test3_Purge
    JobStartTime        : 23.08.2017 05:40:22
    JobEndTime          : 23.08.2017 05:40:23
    JobOptions          : 0
    JobProgress         : 100

    No item in "Results". And trust me, my test e-mails are still in my mailbox...

    The mail is received 48 hours ago. So it should be indexed (I don't know how to check?). Then it should be deleted I guess...

    There is no error message in Event Viewer.

    I don't know what to check then. Is there a log of this cmdlet somewhere ? Why this does not work ??

    Many thanks for you advice
    Regards

    Wednesday, August 23, 2017 6:07 AM

All replies

  • Hi,

    I would use search-mailboxsearch or search-mailbox instead as search-mailbox will perform the task that you have indicated.

    Tuesday, October 24, 2017 11:38 PM
  • According to technet, search-mailbox is replaced by this new solution : "Compliance search"

    https://technet.microsoft.com/en-us/library/ff459253(v=exchg.160).aspx

    Friday, October 27, 2017 7:54 AM
  • Did you run the Start-ComplianceSearch?

    If you did not then the search will not go ahead to remove the required item.

    Tuesday, November 14, 2017 4:52 AM
  • As you can see in my Get-ComplianceSearch, I do have a result
    Meaning I did run "Start-ComplianceSearch"
    Tuesday, November 14, 2017 6:39 AM
  • Hi Serge

    Did you manage to get this resolved? I am running into the same scenario.

    Tuesday, March 27, 2018 7:09 AM
  • Hi,

    No, currently when I want to delete some phishing e-mail for example, I use :

    get-mailbox -Database "db" -resultsize unlimited | search-mailbox -SearchQuery 'from:"spam@bad-domain.com"' -LogLevel Full -TargetMailbox "MyMailBox" -TargetFolder log -DeleteContent -force

    The "compliance" cmdlet are still not reliable to me

    I'll open a support case when "Search-Mailbox" will be really de-supported....

    Tuesday, March 27, 2018 11:41 AM
  • I'm noticing the same issues Serge!

    I'm using pretty straightforward criteria...

    New-ComplianceSearch -Name "newest-phishing-email" -ExchangeLocation "IT Internal" -ContentMatchQuery "'subject:Request From ORG' AND 'from:joe.bloggs@organisation.org.uk'"

    all appears well and purge command appears to run but email still in inboxes....

    Thanks for the steer at the bottom... I'll try and dig up some syntax examples and post here for other poor souls (I'm new to powershell o365 admin)

     

    Tuesday, May 29, 2018 2:24 PM
  • Hi Folks - got a positive result using a blended approach with the admin centre web portal and powershell...

    Here's what worked for me - (comes with no guarantees - proceed at your own risk - your mileage may vary - take care out there)

    Access the Admin Centres – Security and Compliance – Search and Investigation – Content Search

    Once in content search – click on the “switch back to the old experience” link

    Click on Add Condition (add as many as you require for your desired results)

    Enter the required parameters and click on search…. Then preview search results on the window that appears…

    Have a look at the search results to check that they meet requirements….

    ......Then over to powershell –> launch Powershell ISE as administrator and type the following text

    $UserCredential = Get-Credential     (Press enter and input o365 admin credentials)

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection  

    (Press enter and wait for the following text to appear:WARNING: Your connection has been redirected to the following URI: https://eur01b.ps.compliance.protection.outlook.com/powershell-liveid?PSVersion=5.1.16299.248 ")

    Import-PSSession $Session   (Press enter and wait for the following text to appear:WARNING: The names of some imported commands from the module 'tmp_eswpj51m.0qa' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb.)

    New-ComplianceSearchAction -SearchName "AllMailboxSearchAndDelete" -Purge -PurgeType SoftDelete

    (Press enter {ensure that the name of your created search is in the –SearchName field})

    Get-ComplianceSearchAction  (Press enter to check all jobs status once job complete – mails should be moved to the deleted items when complete – note these emails will still show up because they have been soft deleted.)

    Get-ComplianceSearchAction -Identity AllMailboxSearchAndDelete_purge  (Press enter to check on job progress {ensure that the name of your created search is in the –SearchName field})


    • Proposed as answer by Scott daScobie Wednesday, May 30, 2018 2:53 PM
    Wednesday, May 30, 2018 2:53 PM
  • The New-ComplianceSearchAction appears to complete however no mail is removed from the mailbox...

    search-mailbox doesn't appear to be a command anylonger (or I can't figure out how to make it load...)

    Been at this 2 days now... 

    Wednesday, May 30, 2018 7:59 PM
  • @Scott daScobie, your solution is only for O365 if I understand well ? Nothing like you mention in Exchange 2016 on-premise web portal.

    @Zanthorx,

    Search-Mailbox still works well for me, on Exchange 2016 on-premise

    Regards

    Monday, June 4, 2018 9:30 AM
  • What makes no sense, is the fact that I can run Purge from PS, which completes & it seems to take affect (checking in mailbox the message is no longer there), but the Search (in Compliance) still finds the mails

    Is that expected?

    Or the Purge should have deleted them from everywhere?

    Seb

    Wednesday, January 16, 2019 6:20 PM
  • Anybody?

    Even with -Purge -PurgeType HardDelete

    I can re-run the Content search & it still shows me full set (which I would expect to be NONE at that time)

    Thursday, January 31, 2019 8:13 AM
  • In fact it gets WORSE.

    Content Search runs & finds what I need, I run the Purge, result is:

    Test_receive_Purge           Test_receive         Purge   Me 06/02/2019 13:41:06 Completed

    Yet NO emails got deleted.

    How can I trust this thing then?

    Seb



    • Edited by scerazy Wednesday, February 6, 2019 1:51 PM
    Wednesday, February 6, 2019 1:51 PM
  • I have the same thing happening after a HardDelete purge. Everything shows as complete but re-running the content search just shows the same emails. Did you ever find out how to truly verify?
    • Edited by BunyanPaul Friday, May 17, 2019 7:28 PM formatting
    Friday, May 17, 2019 7:27 PM
  • It is hardcoded to delete 10 items only at a go.

    So you either run it over & over again or use comandlet

    Search-Mailbox -Identity "April Stewart" -SearchQuery 'Subject:"Your bank statement"' -DeleteContent


    • Edited by scerazy Saturday, May 18, 2019 7:01 AM
    Saturday, May 18, 2019 7:00 AM
  • Any update on this? I just did a test hard and soft purge...both times the messages are still visible in the user's recoverable folder...but i can purge them from the outlook desktop app and they actually disappear...

    in the get-compliancesearch results the purged email in the mailbox is still showing as a positive result.

    Friday, September 13, 2019 8:06 PM
  • Hi,

    I got a similar case, the compliance search reports 2 message recall items in the inbox of a user. The deletion action runs, but with 0 results. A new compliance search reports the messages still being present.

    Same goes for Search-Mailbox, 2 items reported, the deletion runs through, with 0 results. A subsequent search shows, the items still exist.

    Means for me that I got no chance to delete the items without accessing the user's mailbox. That is pretty sub-optimal.

    Tuesday, November 5, 2019 9:14 AM