Recovering Deleted Email with New Exchange Online Cmdlets

Exchange Makes It Easy for Users to Fix Deletion Mistakes

Exchange has used a two-step item deletion process for nearly 20 years. When someone deletes an item from a mailbox, it moves into the Deleted Items folder. Later, when the user empties the Deleted Items folder, or the Managed Folder Assistant empties the folder under the instruction of a retention policy, the items go into the Recoverable Item folder. Users can rescue items from Recoverable Items using the Recover Deleted Items feature in OWA or Outlook (Figure 1).

 

When Microsoft added the Recover Deleted Items feature to Exchange 2000, the idea was to avoid administrators having to restore deleted items from backup tapes. If users made a mistake, they can fix the problem themselves.

Eventually, the Managed Folder Assistant clears deleted items out of Recoverable Items and they become irrecoverable. The exception to the rule is when items come under the control of a hold, in which case Exchange holds the items until the hold expires.

When Exchange Admins Rescue Users

Although Recover Deleted Items works, it is a mechanism best suited to restoring limited numbers of items. If someone deletes a folder holding thousands of items and doesn’t notice the problem, that folder and its items eventually end up in Recoverable Items and might need to be restored. Invariably, this is a problem that users are quick to escalate to look for help. Another reason why someone might seek assistance is when they cannot see the wood for the trees and cannot find the item they want by scrolling through the list presented by Recover Deleted Items.

Up to now, an admin might fix the problem by logging into the user’s mailbox with OWA, find the items, and restore them. This approach works, but it means that the admin must assign themselves permission to open the user’s mailbox, and that’s not usually a good thing, especially when the mailbox belongs to someone who works with confidential or sensitive information.

Two New Cmdlets

Exchange Online now boasts two new cmdlets to help.

• Get-RecoverableItems executes basic searches of the Deleted Items and Recoverable Items folders to find items without the need to sign into the mailbox.
• Restore-RecoverableItems finds and copies items from Deleted Items or Recoverable Items to their original folders.

The basic idea is that you use Get-RecoverableItems to construct a search to find the desired items and then use the search as input to Restore-RecoverableItems when you are sure that it will process the correct items. Before trying to run these cmdlets, make sure that the account you use to sign into PowerShell holds the Exchange “Mailbox Import Export” RBAC role.

To find out who has the role already, you can run the following command. In the example, the members of the Organization Management role group have the role as does the Administrator account.

Get-RecoverableItems

This example shows how to search a mailbox for email items (Ipm.Note) in the RecoverableItems folder.

The date/times used in the filter are not the creation timestamp. Instead, they are when the user or the Managed Folder Assistant moved the item into its current folder. For instance, if a mailbox has a retention policy that moves items from Deleted Items into Recoverable Items after 120 days, the Managed Folder Assistant might have processed the items found by the search above at least four months ago.

A user can bypass Deleted Items and send an item direct to Recoverable Items by using the SHIFT/Delete key combination. In this case, the LastModifiedTime property (used for date filters) is the date when the user executed SHIFT/Delete.

If you want to search the Deleted Items folder instead of Recoverable Items, specify “DeletedItems” (these values are language independent). You cannot create a search for both the Deleted Items and Recoverable Items folders, so if you want to check the two folders, you need two separate searches. You also cannot search either folder in the archive mailbox. Likewise, you can specify different types of items to look for (like Ipm.Appointment for a calendar item or Ipm.Contact for a contact), but you cannot combine different item types in a search.

Users might not be certain when an item was deleted, but they might be able to tell you the message subject. If so, you can search like this:

Be aware that a search based on SubjectContains finds any item that contains the string in its subject. In this case, it will unearth items with subjects like “My Tasks” and “Hard and Difficult Tasks” and “Tasks 2017.”

The example of the data returned for found items is shown below.

Obviously, the more precise the search, the more likely you are to find the right item.

Recovering Items

Once you are happy that your search finds the right items, you can proceed to recovery. The Restore-RecoverableItemscmdlet takes the same search that you use to find items and restores each item to its original location:

Of course, if you wanted to, you could create your own processing loop to process a batch of mailboxes and restore the messages if any matches are in Recoverable Items (Figure 2). Here’s an example:

 

Automation is Good

Anything that automates common administrative operations is goodness. In this case, these cmdlets avoid the need for administrators to sign into user mailboxes to help the owners find missing messages. And like any PowerShell cmdlets, I am sure that people will come up with some interesting methods to exploit this functionality in the future.