Recover a single e-mail using Search-Mailbox in Exchange 2010

December 15, 2015 Microsoft Geek

*Note* This article applies to Exchange Server 2010 SP1.

Recently I was asked to recover a single e-mail, because he deleted it by accident. In Exchange 2007 I would use the Export-Mailbox cmdlet.
In Exchange 2010 SP1 a new cmdlet has been introduced: Search-Mailbox. For general information regarding this cmdlet, check the following TechNet article.

I went through the following steps to perform the recovery of the single e-mail:

Assign permissions to perform the search;
Use the Search-Mailbox cmdlet to export the specific e-mail;
Use the Search-Mailbox cmdlet to recover the e-mail.

Scenario

regularuser@mydomain.com removes an e-mail by accident and sends the following e-mail to admin@mydomain.com:

Hi Admin,I deleted an e-mail by accident. This is what I know:
Received from: otheruser@mydomain.com
Subject: Important e-mail #3

Could you please restore this e-mail to my mailbox?

Assigning permissions to my “admin account”

By default, no user can use the Search-Mailbox cmdlet in the EMS. To be able to do this, you will need the “Discovery Management” management role group.

If you would try to execute a Search-Mailbox command without the needed permissions, the EMS will not recognize the cmdlet.
To add your account to this group, you can use the following line:

Add-RoleGroupMember “Discovery Management” –Member myadmin

Using Search-Mailbox to export the e-mail(s)

Now you are ready to export the e-mails you need to recover. Using the Search-Mailbox cmdlet with a specific Searchquery, you can filter the e-mails for the mailbox you provided.

Search-Mailbox -identity “regularuser@mydomain.com” -TargetMailbox “DiscoveryMailbox” -TargetFolder “regularuser” -SearchQuery ‘Subject: “Important e-mail #3” AND from:”otheruser@mydomain.com“’

This command will export all e-mails with subject: “Important e-mail #3” received from e-mail address: “otheruser@mydomain.com”. Of course, you could refine the search query even more. Check the following Technet article for possible SearchQuery syntax.

Using Search-Mailbox to recover the e-mail

The “DiscoveryMailbox” now contains a folder “regularuser” with all e-mails filtered by the Search-Mailbox command.We are going to perform a similar action for the DiscoveryMailbox to recover the e-mail to the right user.

Search-Mailbox -identity “DiscoveryMailbox” -TargetMailboxregularuser@mydomain.com -TargetFolder “Recovered emails” -SearchQuery ‘Subject: “Important e-mail #3” AND from:”otheruser@mydomain.com“’

When running this command, the e-mails will be sent back toregularuser@mydomain.com. This user can then move the e-mail to the appropriate mail folder.

Category: Exchange Server 2010