Creating a new search
Assuming that you know what information needs to be
retained and keywords or other identifying phrases that can be used to
locate matching data in user mailboxes, you can create a new search.
From the In-Place eDiscovery And Hold section of EAC (shown in Figure 3), click New (+) to begin defining the search over four screens:
Give the search a name; provide some information about why the search is necessary and what it hopes to find (Figure 4).
Although Exchange won’t care what name you give (such as the “Great XYZ
search for all things”), it’s better to use a name that makes sense to
anyone involved in the search, administrators and legal staff alike.
Ideally, the descriptive text entered for a search should let anyone
who accesses the search understand its purpose. It’s a good idea to
include information such as who initiated and authorized the search,
the expected duration of the search period, and other pertinent details.
Define
the mailboxes the search covers. You can select All Mailboxes or
specify a list of mailboxes, including groups. It’s always better to
restrict the number of mailboxes as much as possible to help Exchange
execute the search and retrieve search results. Usually, the number of
mailboxes covered by a search is dictated by the legal team to meet the
demands of a discovery action, and the preference of system
administrators to restrict the number of mailboxes might be ignored. As
shown on the screen on the left in Figure 5,
adding hundreds or thousands of mailboxes through this screen would be
time consuming, so it’s a good idea to use groups whenever possible. If you select All Mailboxes for a
search, you cannot specify that an in-place hold should occur because
this action could cause a huge amount of information to be retained in
a large Exchange organization.
Specify the search query that locates matching items in user mailboxes. In the screen on the right in Figure 5,
you can elect to search for all content or filter based on a query
ranging from very simple (as in this case) to quite complex, depending
on the needs of the search. In addition to
the basic query, you can refine it by specifying:
Start date and end date.
The email addresses of users who sent messages.
The addresses of people who were TO or CC recipients for messages.
The
exact types of items stored in mailboxes that are of interest to the
search. For instance, you might only want to search for contents held
in documents stored in mailboxes, such as attachments sent around for
messages.
The
last stage is to decide whether to include an in-place hold for the
search. This requires an enterprise CAL for every mailbox covered by
the hold. Everything else to do with the search up to this point is
covered by the standard CAL. When you set an in-place hold (Figure 6),
Exchange monitors items in user mailboxes covered by the search for
items that match the query and takes steps to ensure that no matching
items are removed from the mailbox. This can be done indefinitely or
for a specified period. In this case, you want items to be retained for
approximately six years, or 2,192 days.
When
you’ve completed all the screens, click Finish to have EAC save the new
search. During the save process, EAC validates that the query you
entered on the third screen is valid. It’s easy to enter search terms
by using incorrect syntax until you become accustomed to KQL syntax;
when you use incorrect syntax, you see the error shown in Figure 7.
If this happens, close the error screen and go back to the screen where
you entered the query and adjust its syntax. Eventually, perhaps after
some additional trial and error, EAC can save the search and perform an
initial estimate of the items that can be uncovered when the search is
executed.
