-->

Saturday, January 14, 2017

Exchange Search-Mailbox Delete More Than 10,000 Items

A few days ago one of my buddies (who happens to be running the Exchange 2013 environment at my old job) called and had a problem where a user got spammed with 13,000,000 messages. Yes, you read that correctly, that's 13 million!
Normally, you would run the Search-Mailbox cmdlet with the -DeleteContent switch to clear those out.
The problem here is, the Search-Mailbox command is limited to only 10,000 messages, and you would have re-run it until you clear out the mailbox...with 13 million, you'd be running that cmdlet a ton of times!

So I created a quick and dirty script that will loop the Search-Mailbox until it doesn't find any more instances of the message.

Copy and paste the following code into notepad and save it as a .ps1 file. For instance Delete-HugeSpam.ps1

$mbx = get-mailbox "mailboxname here"

Do {
 $result = Search-Mailbox -Identity $mbx.Identity -SearchQuery 'Subject:"this is spam from a dirty spammer"' -DeleteContent -force -WarningAction Silentlycontinue

 
write-host $result.resultitemscount -ForegroundColor Green

 } Until ($result.resultitemscount -eq 0)


**Note** Change "mailboxname here" to the mailbox with all the spam, and "this is spam from a dirty spammer" to whatever the Subject of the message is.

Once you have the .ps1 file configured with your mailbox name and subject, fire up the Exchange Management Shell (EMS),  and cd to the directory where you saved the .ps1, then run:

Delete-HugeSpam.ps1

You can monitor the mailbox from OWA by giving yourself FullAccess. I wouldn't recommend using Outlook if there's thousands or millions (in this case) of items because it'll prolly never open.
You should then see the message count doing down.

Now, instruct your user not to open suspicious emails, or better yet don't allow them to have a mailbox anymore :)

24 comments:

  1. THANK YOU VERY MUCH SIR! - great execution of the do..loop

    ReplyDelete
  2. pretty nice method, thanks!

    How can we do it for all mailboxes instead of just one?

    ReplyDelete
    Replies
    1. You could change the first line in the script to:

      $mbx = get-mailbox -resultsize unlimited

      However, this will take a loooooong time, so you might wanna run that on a Remote PowerShell session (not on the server itself).

      Delete
    2. Thanks,

      Im using this method for Exchange Online.
      As there isn't any other way available. (New-compliancesearchaction -Purge only deletes 10 items)

      Delete
    3. Interested to know if we can use that new cmdlet for this script?

      Delete
  3. Worked perfectly. Thank you !!

    ReplyDelete
  4. Thanks A Lot... worked well saved me from clearing by hand ... I had a command line but the 10,000 limit was killing me.

    ReplyDelete
  5. Hi there,

    Question, can we replace Search-Mailbox with the new New-ComplianceSearchAction and this script would still work?

    Thanks

    ReplyDelete
    Replies
    1. Hmm, good question since Search-Mailbox is being deprecated!
      I'd have to mess around with it a bit to see if it will work since the -ComplianceSearch cmdlets take a few extra steps to pull results, compared to Search-Mailbox.

      Delete
    2. How bout this?
      https://community.spiceworks.com/topic/2250854-how-do-you-search-for-and-bulk-delete-content-from-a-office-365-group-mailbox

      Delete
  6. Thanks for this! Question though, instead of it being used with a specific subject line, can I run the same looping delete but with a specific date range. For example: -searchquery ‘(kind:email OR kind:meetings) AND Received:01/01/2009..12/31/2015’

    ReplyDelete
    Replies
    1. Here's my confirmation email saying this works for date ranged too! Thanks again for this awesome script!

      Delete
    2. meant confirmation post* not email. Whoops :)

      Delete
  7. A follow up question: can I essentially run a similar script to re-run MFA (Managed Folder Assistant) on a specific user's mailbox to apply and re-run the MFA policy until the mailbox is current and has 0 items left to move out?

    ReplyDelete
  8. Nice script, but only seems to be working for 23 iterations, so stops deleting after 230,000 emails deleted, then just hangs.

    ReplyDelete
  9. Could you please tell us a way to use csv file instead of running on all mailboxes.

    ReplyDelete
  10. Man, thank you!!! I had to clean up a mailbox with 1 Million items. Who at Microsoft decided that 10,000 was good?

    ReplyDelete
  11. This script was fantastic and I used it several times last year. It doesn't work anymore, so not sure what happened, but I wish it worked again. Must of been something that changed with Exchange or powershell but now this script throws errors like: ConvertFrom-Json: Invalid JSON Primitive. Anyway it was great while it lasted and saved me hours of work.

    ReplyDelete
    Replies
    1. Thanks for the heads up! What flavor of Exchange are you running, so I can check out the script?

      Delete
    2. I am running this on Exchange 365 Online, and I get the same error (ConvertFrom-Json: Invalid JSON Primitive). I suspect it is related to the fact that MS doesn't support Search-Mailbox cmdlet any longer - which absolutely sucks, because the Compliance Center only allows to delete 10 items at a time!!

      Delete
  12. This comment has been removed by the author.

    ReplyDelete