eDiscovery and in-Place/Litigation Holds are the premium Exchange Server features that allow administrators or discovery managers to search user mailboxes for various items and – if nessesary – put those mailboxes on holds for litigation or some other purposes. In this article I’d like to show how you – an administrator – can designate a user to be a discovery manager and delegate him/her the right to search the limited set of mailboxes. But prior to configuring discovery manager I’d like to say a couple of words regarding Exchange administrators.
There are two types of searches – searches that include all mailbox content and searches that includes only the filtered items, and by default even Exchange administrators don’t have the right to create filter-based searches and place the resultant set of mailboxes on in-place hold. Most likely the account being used by an Exchange administrator is a member of the Organization Management role group and such account can only be used to search all mailbox content (and place these mailboxes on hold), for example:
compliance management\in-place eDiscovery & hold
So for the administrator to be able to use filter-based quieres and holds, his/her account (Enterprise Administrator in my test network) must be added to the Discovery Management role group.
In EAC navigate to Permissions\Admin roles and add the accounts:
Since the change in the role group membership is rather sensitive operation it’ll be a good idea to make sure Exchange Server has audited it:
compliance management\auditing
One thing to note: EntAdmin can run queries/apply holds across any mailbox in organization. Why? Because the both roles (Legal Hold and Mailbox search) that make up the Discovery Management role group have the Organization role scope. What if you want to designate some user as a Discovery Manager but do not want him/her to have access to all organization mailboxes? In this case the new custom role scope (and the new role) that includes only the subset of mailboxes must be created. And this is what I’d like to do in this post.
Suppose I want to let A. Oliver run eDiscovery (and then In-Place hold if nesessary) for users from HR department: for example, I want her to seach for the messages sent from Enterprise Administrator to the HR users.
First of all the new custom scope that includes only HR department users must be created. Any custom role scope needs a recipient filter to select mailboxes to be searched, and the only recipient property that can be used in the in_Place eDiscovery is distribution group membership (MemberOfGroup). In my test network it means A.Oliver should be able to search only for the members of the HR distribution group – Laddler Amelia and Martin Thomas.
So the first step is to create the new scope.
Before creating the scope I’d like to make sure the recipient filter I’m going to use in the new scope does really work: since the MemberOfGroup filterable property takes the group names either in CN or DN format, I first find the DN name of my HR group and then check whether the recipient filter returns the HR’s members.
Get-DistributionGroup -Identity “HR” | Format-List Name,DistinguishedName
Get-Recipient -RecipientTypeDetails UserMailbox -Filter ‘MemberOfGroup -eq “CN=HR,OU=Groups,OU=Tier2,OU=ADMIN,DC=TestENTERPRISE,DC=net”‘
The filter does work so I create the new management scope HR_Users_eDiscovery_Scope:
New-ManagementScope “HR_Users_eDiscovery_Scope” -RecipientRestrictionFilter “MemberOfGroup -eq ‘CN=HR,OU=Groups,OU=Tier2,OU=ADMIN,DC=TestENTERPRISE,DC=net’”
To make the discovery management easier I’ll create the new universal security group UN_Discovery_Managers and add Ackret Oliver to the group. In this case the new role group will always contain the single member – UN_Discovery_Managers – this will allow to easily add/remove users from the TestENTERPRISE_Discovery_Managers role group.
Now let’s create the new management role group – TestENTERPRISE_Discovery_Managers – and add UN_Discovery_Managers as a member:
As I want the members of the UN_Discovery_Managers group to be able 1) to preview and 2) copy search results I must – according to this MS article –
1) add UN_Discovery_Managers as a member of the HR distribution group
2) add the dicovery mailbox to the HR distribution group
Add-DistributionGroupMember -Identity “HR” -Member “UN_Discovery_Managers”
Add-DistributionGroupMember -Identity “HR” -Member “Discovery Search Mailbox”
– I’ve used the Display Name in the command above that can be found by using this command:
Get-Mailbox -RecipientTypeDetails DiscoveryMailbox |fl DisplayName
The result:
And the last step: a discovery manager must have full control permission over the dicovery mailbox (in this case on the default discovery search mailbox):
Add-MailboxPermission ‘Discovery Search Mailbox’ -User UN_Discovery_Managers -AccessRights FullAccess -InheritanceType all
Now it’s time to move on to creating the first eDiscovery search. As already mentioned, I want A.Oliver to seach HR department’s mailboxes for messages sent from Enterprise Administrator.
I log on to ECP as A.Oliver and navigate to compliance management\in-place eDiscovery & hold and add a new eDiscovery search:
On the Mailboxes page I specify the mailboxes to search: the members of the HR distribution group:
On the next page I won’t use any keywords (since this is the test environment the number of messages is rather small and I want to find them all) and refine the search by adding the sender, the time window and the type of messages (Message type to search:Email at the bottom of the window):
Upon completing the search I want to put those mailboxes on the 10-day hold:
What happend? Why does the current discovery manager – Ackret Oliver – not have the correct permissions ?… As you see I selected the HR group as the source of the search – this is what MS states in its documentation:
But in the picture above – as Kael Yao-MSFT pointed out – Exchange “thinks” that HR is the mailbox – not the distribution group! For some reason Exchange can’t resolve group to the mailboxes and operation fails. You can read more about this problem (apparently the bug) here.
Since Exchange can’t resolve group names let’s change the group name to the mailboxes themselves – fortunately there’re only two recipients in the HR group:
This time the search has been created successfully.
Clicking Preview search results will open the following window:
These are all the messages sent from Enterprise Administartor to the members of the DS_HR group.
Once we’ve estimated the search results and found them to be correct, the next step will be to copy the results to the discovery mailbox. While on the in-place eDiscovery & hold page click Copy search results:
The search results are copied to the default Discovery search mailbox (you can create another discovery mailbox, give the discovery manager permissions to the new discovery search mailbox and select it on the page above – I decided to use the default one). Now A.Oliver can open her Outlook, add the discovery search mailbox to her profile and search for items of interest in the two mailboxes.
After logging in as A.Oliver I navigate to Account Settings – Change – and add Discovery search mailbox:
…More Settings:
…Add
…and type Discovery Search Mailbox:
Press Apply and then OK.
Press Next.
The Discovery search mailbox is added. There will be two search results – one per mailbox – under the HR_eDiscoverySearch and the information message from Exchange confirming the search has completed successfully – please pay attention to the Sources section of the message:
This message contains the Excel report on the search – you can quickly look through it to see the summary of the messages included:
…and then read the messages of interest in the discovery mailbox:
If there’s a need to export the search results to pst file(s) you can easily do this:
Now the C:\eDiscoverySEARCH\EXPORT folder contains the search, the log and the two (one per the searched mailbox) Outlook data files:
As you remember, Ackret Oliver is assigned the custom management scope that includes only the HR department’s mailboxes – what if she tried to search the mailbox outside her scope? Let’s check whether such search succeeds. For example, suppose A.Oliver wants to search the IT department’smailboxes:
Exchange prohibited searching the mailboxes outside the assigned scope – only members of the Discovery Management role group (currently only Enterprise Administrator) are allowed to run such searches.
Once all necessary information has been gathered a discovery manager can delete the search, but if the search contains the hold it must first be removed, otherwise the following error will arise:
Just open the search and clear the Hold checkbox:
Now deleting should succeed.
The same applies to deleting the the role groups with custom scopes assigned: if you want to delete such group (TestENTERPRISE_Discovery_Managers in this test) you must first delete the custom scope (HR_Users_eDiscovery_Scope).
The last thing to note: all searches created by discovery managers (as well as by other administrators, of course) will be visible on the in-place eDiscovery & hold page – when giving users permissions to do some administrative tasks in Exchange Server we are not creating some sort of user-specific ECP but just allowing them to access some ECP pages. For example, the EntAdmin will see exactly the same page as Ackret Oliver:
Attention! While coping/pasting commands please check the correctness of the quotation marks: depending on your language settings they can change into the wrong ones!
