Search for and delete email from one, many, or all mailboxes on Exchange 2010 SP1

      I recently had a situation needing me to remove a large email sent to all personnel. After spending some time online trying different commands and solutions, I finally put enough together to get it working. While there is a lot of documentation on how to perform this task, they either didn’t work for me or didn’t have all the information needed to make it work. As such, I’ve decided to put this together to show what worked for me and maybe save you some time.

     The first task is assigning permissions. If you try running the commands without first assigning permissions to your user you will see an error that the command or switch is not recognized. If you see an error of this nature double check your permissions. Permissions can be assigned to a specific user or to an existing exchange group.

Assign the following permissions to user or group:

new-managementroleassignment -role "support diagnostics" -user myuser

new-managementroleassignment -role "mailbox import export" -user myuser

You can view who has permissions to the desired roles with the commands below.

View user permissions:

get-managementroleassignment -role "support diagnostics" | ft identity  

get-managementroleassignment -role "mailbox import export" | ft identity

     Now you’re ready to start searching  for email and deleting the messages. If you happen to have a user with an email they can’t delete you can use this method to remove it for them. The following command will allow you to remove a message from a single users mailbox.

Search user mailbox for content matching abcd1234 and delete message:*See AQS link below for additional search criteria

search-mailbox -identity someuser -searchquery abcd1234 -deletecontent

     Let’s step things up a notch.  With the next command you can search every mailbox in a specified database. Change the switch to –server and you can search every box on a server. The command below searches every mailbox in the userdb database. The –resultsize unlimited allows it to search over 1000 mailboxes, without this command it will stop searching after reaching a 1000. You can use several critiria in the –searchquery switch and you can use the “AND” connector to search on multiple criteria. Review the link for AQS to see more. This command would be what you want to run first to view a log of the results. It will put a CSV attachment in the mailbox and folder specified with the details of every email it matches against. Verify the results shown here match the emails you want to remove.

Search all mailboxes in database and log results:

get-mailbox -database userdb -resultsize unlimited | search-mailbox -searchquery "from:someuser@domain.com AND Subject:`Find This Email'" -targetmailbox myuser -targetfolder resultsfolder -LogOnly -Loglevel Full

     Once you have ran the previous command and verified the desired results, you are ready to delete the emails from your search. The command below is the same as above except instead of logging the messages this time it will delete them.

Search all mailboxes in database and delete found messages:

get-mailbox -database usersdb -resultsize unlimited | search-mailbox -searchquery "from:someuser@domain.com AND Subject:`Find This Email'" -deletecontent

Additional information about the commands used above can be seen on the links below:

Get-Mailbox

Search-Mailbox

Advanced Query Search

Permissions

New-ManagementRoleAssignment