Monday, January 7, 2013

Exchange Massive Search and Destroy & Quota control


 Users are always asking for extra mailbox quota, where their mailbox is full of unneeded/none-important emails such as: 
  • Internal announcements
  • Systems notifications
  • Service desk emails
  • Etc…………..

 As a proactive measure, you will need to set a policy for this kind of emails retention, and schedule a massive search and destroy PowerShell script to do the job,

Syntax:

Search specific mailbox and delete all emails with the subject “delete me”

Search-Mailbox -Identity "Hany Donia" -SearchQuery "Subject:delete me" -DeleteContent –Force

Search specific mailbox and delete all email from specific address

Search-Mailbox -Identity "Hany Donia" -SearchQuery "from:spam@spamorg.com" -DeleteContent –Force

Search a specific mailbox and delete all emails sent in a specific date

Search-Mailbox -Identity "Hany Donia" -SearchQuery "sent:1/12/2012" -DeleteContent –Force

Search a specific mailbox and delete all emails send in a specific date range

Search-Mailbox -Identity "Hany Donia" -SearchQuery "sent:1/1/2012..1/15/2013" -DeleteContent –Force

Search a specific mailbox and delete all emails sent from a specific address and within a specific date range

Search-Mailbox -Identity "Hany Donia" -SearchQuery '(from:spam@spamorg.com) AND (sent:1/1/2008..11/22/2012)' -DeleteContent –Force

Search all mailboxes in an organization and delete all emails sent from a specific address and within a specific date range

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery '(from:spam@spamorg.com) AND (sent:1/1/2008..11/22/2012)' -DeleteContent –Force


LORGs expected issue:

For large organizations you will receive the below error when you try to run the Search-Mailbox for all mailboxes in your organization.

(Sending data to a remote command failed with the following error message: The total data received from the remote client exceeded allowed maximum. Allowed maximum is 524288000. For more information, see the bout_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OperationStopped: (System.Manageme...pressionSyncJob:PSInvokeExpressionSyncJob) [], PSRemotingTransportException
    + FullyQualifiedErrorId : JobFailure
Invoke-Command : Cannot write input as there are no more running pipelines At C:\Users\AppData\Roaming\Microsoft\Exchange\RemotePowerShell\.psm1:43187 char:29 +             $scriptCmd = { & <<<<  $script:InvokeCommand `     + CategoryInfo          : InvalidOperation: (:) [Invoke-Command], PSInvalidOperationException     + FullyQualifiedErrorId : NoMoreInputWrite,Microsoft.PowerShell.Commands.InvokeCommandCommand)

This is not an issue of the Search-Mailbox command but a pipe-lining limitation for performance concerns,

You can work around this by one of two ways:
  • Limit your Get-Mailbox command for instance by specifying a specific database –Database such as

Get-Mailbox –Database  databasename | Search-Mailbox -SearchQuery '(from:spam@spamorg.com) AND (sent:1/1/2008..11/22/2012)' -DeleteContent –Force
  •  Create a loop such as 
$allmbxinyourorg = Get-Mailbox -ResultSize unlimited
Foreach ($mbx in $allmbxinyourorg) {
    Search-Mailbox -identity $mbx -SearchQuery '(from:spam@spamorg.com) AND (sent:1/1/2008..11/22/2012)' -DeleteContent –Force
}


Recommendations:

  • Test your command in a test environment before applying it into production to make sure it is only doing what it is supposed to and not more,
  • Run your command against your own mailbox first and count items before and after to make sure it is working fine
  • Use the -EstimateResultOnly to get information about the items you are about to delete when you execute your command such as
Search-Mailbox -Identity "Hany Donia" -SearchQuery "sent:1/12/2012" -EstimateResultOnly

Real world results:

Searching around 30,000 Mailbox for email from a specific sender and within a specific date range: 
  • It took around 56 hours to complete,
  • It deleted around 17 million items
  • It saved around 8 TB


Resources:


see you soon, Hany Donia

1 comments:

Anonymous said...

Thank you. I have the same situation. I got an error message
"Sending data to a remote command failed with the following error message: The total data received from the remote client exceeded allowed maximum. Allowed max
mum is 524288000. For more information, see the about_Remote_Troubleshooting Help topic."
when I tried to run a search mailbox. With the foreach loop everything worked. (we have more than 15000 mailboxes...)
1) $mbx= Get-Mailbox * -ResultSize unlimited
2) foreach ($elem in $mbx) {Search-Mailbox -SearchQuery {Subject:'say yes to uber' AND (Received -gt '2016.02.10')} -DeleteContent -Confirm:$false –Force }