In Exchange 2013 eDiscovery is now what used to be called Multi-Mailbox Search in 2010. Anyone with the Discovery Management RBAC rights can perform an eDiscovery search, which is useful for some legal departments during litigation.
Running an eDiscovery Search in the EAC
To run an eDiscovery Search, open the EAC (Exchange Administration Center) and navigate to "Compliance Management" and then "in-place eDiscovery & hold" then click the "+" to start a new search:
Next, you'll be presented with a new window, where you'll give your search a name and optional description:
Next, you'll choose which Mailboxes to search in. This can be all mailboxes in the organization, or you can select specific mailboxes:
Next will be your query filters. This can include Keywords, Date Range, Senders/Recipients, and Message types.
When using keywords, don't use commas to separate words - only spaces. Use operators such as AND, OR, NOT to specify what you're looking for. Wrap phrases in quotes:
Hit "Select Message Types" to specify what content you're looking for:
On the in-place hold settings page, you can choose to put the mailboxes you specified, under litigation hold so that messages cannot be emptied from the dumpster. You can choose to hold until you turn it off, or hold for a certain amount of time.
**Note** Hold will only be available if you chose specific mailboxes, not if you selected to search All Mailboxes in the organization:
When you click Finish, your search will begin. Click Close when it turns blue:
It will then take you back to your eDiscovery control panel and show the status of the Preview. You'll need to click the Refresh button for it to actually update:
**Note** You can choose Preview Search Results, but it will only give the first few hits of the search
Next, you can copy the results (messages that were found matching your criteria) to the Discovery Search Mailbox by clicking the Magnifying Glass and then "copy search results":
You can choose what you want copy over including: unsearchable items (attachments, dumpster etc) de-duplication (it will only copy one instance of a message in case many users have the same message) full logging (it will include full details about items):
After clicking "Copy" it will take you back to the search control. You'll need to refresh to see the copy status.
**Note** The status won't actually update progressively, it will just show 0% and then done:
After the copy is complete, you can open the Discovery Search Mailbox, providing you have Full Access rights on it. I prefer to open it in OWA, since it can be quite large at times:
Once in the Discovery Mailbox, you'll see your search results in a folder labeled with the same name as the search. You can then read through those messages:
You also have the option of exporting the results to a PST, which you can hand off to the legal team for them to peruse. In the search control, click the "Down Arrow":
**Note** The export needs to download the Export Tool (locally from one of your Exchange servers) but it will not work in IE 11...no matter what security settings you try :(
You'll be presented with the same options that you had when copying to the Discovery Mailbox, and the export status:
After you're finished, you can delete your search.
**Note** It will also delete any results that you copied to the Discovery Mailbox:
Now you (or whomever you designate) can run super easy mailbox searches in the EAC.Next, I'll show you how to run eDiscovery searches in the Exchange Management Shell (EMS).
No comments:
Post a Comment