An important part of being able to achieve a compliance strategy is
the ability to preserve information. Retention policies help somewhat
because they can automatically move information into archive mailboxes.
However, they also remove information through tags that require items
to be moved into the Recoverable Items folder or permanently deleted.
Items held in the Recoverable Items folder will eventually be removed
from the database and permanently deleted.
Some
method is therefore required to limit the work of the MFA as it
attempts to keep user mailboxes under control. The mechanism available
in Exchange is called holding;
any MFA processing that might delete an item is restricted, and
(sometimes more importantly) users are also prevented from interfering
with items.
Exchange 2010 introduced two kinds of holds. A
retention hold has nothing to do with the preservation of information
except insofar as it is used when an administrator wants to make sure
that items are not removed from a mailbox for a temporary period,
usually a number of weeks. The classic example of when a retention hold
is used is when a user is on vacation for an extended time, and you
don’t want the user to come back to find his mailbox emptied because
the MFA has removed many items in his absence. Usually, people get a
chance to rescue items (if they remember) after the MFA has cleaned up
their mailbox by using Recover Deleted Items, but if someone is on
vacation and probably not thinking about email, he won’t be interested
in checking his mailbox. Furthermore, if the vacation lasts longer than
the deleted items retention period set on the mailbox database (the
default is 60 days), items will be permanently deleted while the user
is still away. A retention hold solves the problem by instructing the
MFA to ignore any delete processing for a specified period. In this
case, you might set the retention hold for 65 days to allow the user a
few days following his vacation to check the mailbox. Another common
example of when a hold might be used is described in http://technet.microsoft.com/en-us/library/dd297955.aspx.
It occurs when a company is starting to use retention policies and
wants to take a cautious approach. By implementing a retention hold on
the mailboxes covered by retention policies, it ensures that any items
the MFA deletes are retained and can be recovered. When users have
become accustomed to the type of automatic mailbox housekeeping enabled
through retention policies, the retention holds can be released from
mailboxes, and the retained items will be removed.
The second kind of hold used in Exchange 2010 is a litigation hold (sometimes called a legal hold).
You
can make the case that a legal hold is similar to a retention hold in
some respects in that the MFA is prevented from removing items from a
mailbox. However, the concept behind a legal hold is very different
because the focus is entirely on the need to preserve information for
what could be an extended period (months or even years). Instead of
simply making sure that the MFA doesn’t remove something important
while a user is on vacation, a legal hold ensures that any deletes or
edits that occur within the mailbox are preserved while the hold is in
effect. This is done to ensure that all possible information that might
be required to satisfy a legal discovery action is preserved and
remains discoverable, even if a user—by error or deliberately—attempts
to remove that information.
When
a legal hold is in force, the Store tracks any attempt that the user
might make to edit or otherwise alter items in the mailbox and will
capture versions silently in such a way that the edits are retained,
indexed, and remain available to investigators if an eDiscovery search
is performed. These edits are retained in a special location within the
Recoverable Items folder. Unless they are informed, users are unaware
that items are being preserved.
Placing a mailbox on retention
hold can be regarded as a commonplace activity. Wise administrators
take advice and guidance from the company’s legal department before
they place a mailbox on litigation hold to ensure that the action
complies with any legal requirements that are in force and does not
compromise any document retention policies that are in effect. There’s
no point in enabling a feature that collects unneeded or unwanted data.
The older forms of hold are there for
backward compatibility with Exchange 2010 servers and because they do
provide a specific kind of hold that might be useful in some
circumstances. However, the general advice is that you should use
in-place hold whenever possible because that is where the focus and
development effort is now concentrated.
Putting a mailbox on retention hold
You cannot set retention hold through EAC. To put a mailbox on
retention hold, you need to run the Set-Mailbox cmdlet through EMS. For
example:
Set-Mailbox –Identity 'Tony Redmond' –RetentionHoldEnabled $True
–StartDateForRetentionHold "10/10/2013" –EndDateForRetentionHold "11/11/2013"
–RetentionComment "Mailbox placed on retention hold by A.N. Administrator following instruction by Legal Department"
This
command puts the nominated mailbox on retention hold from 10 October
2013 through 11 November 2013. If you want to be more specific, you can
include hours and minutes along with the date and provide a value such
as 10/10/2013 09:00 to start the hold at 9 A.M. on 10 October 2013. If
you don’t provide start and end date values for the retention hold, the
mailbox is placed on an indefinite hold starting immediately. The
retention comment is intended for two purposes: so the administrator
can enter a note about why the mailbox was placed on retention hold and
to provide the mailbox owner with a notification that the hold is in
effect. The text entered for the comment is shown to the user in the
backstage area of Outlook 2010 and Outlook 2013, so you should keep
this in mind when you compose the comment. The text becomes available
to the user after the next time the MFA processes the mailbox.
Another
point to remember when you put a mailbox on retention hold is that
extra quota is consumed to hold items that would otherwise be removed
by the MFA. Given the size of mailbox quotas allocated today, this
might not be an issue in your deployment, but it’s wise to check
whether a user is close to her quota before you enable the hold and to
adjust quotas if necessary.
To remove the retention hold, you run Set-Mailbox again to set the hold parameter to $False. For example:
Set-Mailbox –Identity 'Tony Redmond' –RetentionHoldEnabled $False –RetentionComment $Null
Putting a mailbox on litigation hold
When you place a mailbox on litigation hold, Exchange stops
removing items from the database when their deleted items retention
period expires, and any attempts by the user to delete or change items
are retained in the Recoverable Items folder. Items are retained
indefinitely until the litigation hold is released, subject to the
recoverable items quota not being exceeded. Because items are retained,
they remain available to be indexed and can be retrieved by searches.
You
set litigation hold on a mailbox with EAC by editing the mailbox
properties, where the option is available in the Mailbox Features
section (Figure 1).
When you save the new setting, EAC warns you that litigation hold has
been replaced by in-place hold. When saved, the new settings become
active as soon as the notice that litigation hold has been enabled on
the mailbox has replicated throughout the organization.
Alternatively, you can put a mailbox on litigation hold using the Set-Mailbox cmdlet. For example:
Set-Mailbox –Identity 'Ruth, Andy (VP Sales)' –LitigationHoldEnabled $True
-RetentionComment 'Mailbox placed on litigation hold on 16 May 2013' -RetentionURL 'http://intranet.contoso.com/LegalHold.html' –LitigationHoldDate '12/25/2012 09:00'
–LitigationHoldOwner 'Legal Department'
EMS
issues the same warning and advises that you should use an in-place
hold if possible. After running the command, you can examine the
updated settings with:
Get-Mailbox –Identity 'Ruth, Andy (VP Sales)' | Format-List Retention*, Litigation*
The
RetentionComment and RetentionURL properties are used to populate the
Account Settings section of the Outlook backstage area and inform users
that their mailbox has been placed on hold. The –LitigationHoldDate and
–LitigationHoldOwner parameters hold the date and time when the hold
was enforced and the account that enforced the hold. Exchange completes
these details automatically with the current date and time and the
primary email address of the user who runs the command to place a
mailbox on litigation hold using EAC or EMS.
Releasing the mailbox from litigation hold is done by reversing the process:
Set-Mailbox –Identity 'Akers, Kim' –LitigationHoldEnabled $False –RetentionComment $Null
When
a mailbox that is on retention or litigation hold is moved from an
Exchange 2010 server to Exchange 2013, the hold remains in place. The
same happens when a mailbox moves in the reverse direction. Setting any
hold on a mailbox—retention or litigation—could take up to 60 minutes
to become effective because the hold is respected after Exchange
refreshes the cache it uses to hold Active Directory account
information. The exact delay depends on your Active Directory
infrastructure and how quickly updated mailbox settings are replicated.
Two influences are in play. First, Active Directory must replicate the
updated settings to all global catalog servers before you can be
assured that the hold applies across the forest. Second, the Store
caches Active Directory data about mailbox properties for performance
reasons and therefore will not know that a hold setting has changed for
the mailbox until the next time the Store refreshes its cache. The
updated hold setting is fetched from Active Directory and becomes
effective the next time the Store refreshes its cache. The complete
cycle of Active Directory replication and Store cache refreshes could
take up to an hour. Therefore, it is a good idea to implement holds, if
possible, at a time when users are not actively using their mailboxes.
