Using groups with searches
It might seem convenient to base the target set for a search
on a distribution group or even a dynamic group, and, indeed, EAC
enables you to enter the name of a group when configuring the mailboxes
for a hold as part of the list covered by a search. However, when you
save the details of the hold, Exchange detects that a group is involved
and flags a warning similar to that shown in Figure 18.
A hold is an individual setting for a mailbox. Although Active
Directory provides backlinks to enable Exchange to associate the
membership of a normal group with its underlying mailboxes, Exchange
does not use these backlinks to point to mailboxes for search purposes.
In any case, backlinks are not available for dynamic groups, whose
membership is usually only expanded when needed by the transport system
to determine the best routing arrangement for a message. If you want to
apply a hold to a group, the only way Exchange can do this is to expand
the membership of the group into the individual mailboxes and apply the
hold in that manner. Any external entries that are part of the group
(for example, a mail-enabled user belonging to another organization)
are ignored. The rationale here is that you implement the hold against
the membership of a group at a specific point in time when those users
are considered pertinent to an investigation. Users who subsequently
join the group might have nothing whatsoever to do with the issue at
hand.
Expanding
a group’s membership makes it possible for Exchange to apply the hold.
To do this, the set of mailboxes addressed by the dynamic group is
populated into the search properties, and a link is created to the
search in the mailbox properties. The mailbox names are added to the
SourceMailboxes property of the search metadata, and the GUIDs that
point to each mailbox are added to the Sources property.
However,
it is critical to remember that the hold is only applied to the
mailboxes that constitute the group’s membership at the point in time
when you save the search. Exchange does not include a mechanism to
detect when a mailbox is added to or removed from a group so that it
can add or remove the hold. This responsibility therefore remains
totally in the hands of the administrator or other person who oversees
the hold. Ideally, she should check the hold on a regular basis to see
whether it is effective and doing what it is supposed to do, including
validating that the correct set of mailboxes are under the control of
the hold.
Although groups have limitations when you create a
search, they also have their advantages. From the earlier description
of creating a new search, you know that:
You cannot incorporate a hold for mailboxes covered by a search if the All Mailboxes option is selected.
The
EAC user interface (UI) is acceptable when adding 10 or 20 mailboxes to
a search; it is less satisfactory if hundreds or more mailboxes have to
be added. Remember that some throttling settings that govern the use of
system resources during searches might have to be adjusted if you want
to conduct searches for large numbers of mailboxes.
You
can work around the first restriction if you create a group containing
all the mailboxes in an organization and add it to a search. You can
work around the second by creating a group containing all the target
mailboxes first and then adding the group to the search. In both cases,
the relevant group can be easily created by using simple Windows
PowerShell commands: Get-Mailbox to retrieve the mailbox information,
New-DistributionGroup to create the group, and
Add-DistributionGroupMember to populate the group.
Another
way of solving the problem is to use EAC to create a new dynamic
distribution group and select Users With Mailboxes as the basis on
which to create the group. You can then use this group to add mailboxes
to the search. Alternatively, you can create a dynamic group that
includes all user mailboxes with a command like this:
New-DynamicDistributionGroup -Name 'All Contoso Mailboxes' -RecipientFilter "((RecipientTypeDetails -eq 'UserMailbox'))" -RecipientContainer 'Contoso.com' -Alias 'ContosoMbx'
In
either case, it is wise to validate the set of mailboxes after EAC
expands them and adds them to the search to ensure that you’re not
going to search mailboxes that are unnecessary and unwanted. Adding
many mailboxes to a search using a group will probably also run into
throttling problems, so you must adjust the throttling policy for users
that run searches if you plan to add more than 50 mailboxes to searches
using groups.
To remove a search, select it in EAC and click the wastebasket
icon or run the Remove-MailboxSearch cmdlet in EMS. However, before you
remove a search that includes an in-place hold, you have to edit its
properties to remove any of the mailboxes that are covered by the
search and then save the updated search. This enables Exchange to
remove the links to the search that are held in mailbox properties. If
you don’t remove the mailboxes, you’ll see an error similar to that
shown in Figure 19.
Removing
a lot of mailboxes from a search through EAC can take some time. It’s
much easier to run the following commands to remove the mailboxes and
then delete the search with EMS:
Set-MailboxSearch –Identity 'Put All Contoso Mailboxes on Hold' –SourceMailboxes $Null
Remove-MailboxSearch –Identity 'Put All Contoso Mailboxes on Hold' –Confirm:$False
Removing
a search does not delete any content previously recovered by executing
the search that might remain in a discovery mailbox. This data has to
be removed separately, preferably under the direction of the legal
department in a way that respects user confidentiality.
