Using Search-Mailbox to look for items with a specific date

Exchange, Exchange 2010, Exchange 2013

Using Search-Mailbox to look for items with a specific date

Published by

Tony Redmond

October 17, 2014

A question from a reader is often a good start to a useful discussion or to probe into a topic. Tim Read contacted me to discuss some problems he had with using the Search-Mailbox cmdlet (available in cloud and on-premises versions of Exchange). In this case, he was using Exchange 2013 CU5 and wanted to be able to search mailboxes for items that matched specific values for the sender, date, and subject attributes.

Apparently it was easy enough to run a search that found items that matched a combination of sender and subject but things got a little tricky when a date was thrown into the mix and not much joy was extracted from examples found on various sites.

Parser errors were reported when a date was specified, which indicated that the date was in a format unacceptable to Search-Mailbox. Some confusion arose on this point as it is natural to assume that search criteria have to be stated in KQL syntax because this is what is used by the Search Foundation, which provides the indexes that Exchange interrogates to perform mailbox searches.

However, the Search Foundation was only introduced in Exchange 2013 and code written for Exchange 2010 has to continue working on Exchange 2013 or in Office 365. The cmdlet therefore masks the change that occurred in the underlying search engines. Dates should be formatted like any other date consumed by Exchange according to the locale installed on the server. So 1 October 2014 is “1/10/1014” in Ireland or the U.K. or “10/1/2014” in the U.S. Alternatively, you can pass a date like “14-Oct-2014” in either locale.

Now that we understand how to format dates, we can construct a Search-Mailbox command to do the work. This example creates a collection of mailbox objects from a database and searches them for items sent by a user called “Ben Andrews” (the SMTP email address for the user can also be used) on 13-Oct-2014 with “Interesting” in the message subject. Items in the Recoverable Items folder structure are included in the search.

Get-Mailbox –Database VIP –ResultSize Unlimited | Search-Mailbox -TargetMailbox AdminSearchMailbox -TargetFolder “Search Results” -SearchQuery {Subject:"Interesting" AND From:"Ben Andrews" AND Sent:"10/13/2014"} -LogOnly -LogLevel Full –SearchDumpster

This command will create a log of the discovered items in the target folder in the target mailbox. No items are copied unless the –LogOnly switch is removed. If the command is then rerun, Exchange creates a folder named after the searched mailbox and date and time in the target folder and copies the discovered items there, placing them in sub-folders corresponding to the folders in the source mailbox.

Search-Mailbox is often to remove unwanted items that arrive into user mailboxes. This is done by adding the –DeleteContent switch to a command. Clearly you should not rush into removing content from mailboxes until you are absolutely sure that your command targets the correct items, which is one good reason to run a command with the –LogOnly switch before proceeding to delete anything.

Exchange protects administrators against themselves by requiring those who want to delete content to possess the special “Mailbox Import Export” Role-Based Access Control (RBAC) role. As the role name implies, it is designed to allow administrative access to user mailbox data to import data from PSTs or export items to PSTs. In this instance, it’s used because deleting content is obviously something that should be controlled.

If your account does not hold the role, you won’t see the –DeleteContent switch or be able to use it with the Search-Mailbox cmdlet. You can either create a new RBAC role group containing the role and assign it to the appropriate users or add the role to an existing role group, which means that any user that is already part of the group will be able to use the switch. For instance, here’s how to add the role to the Organization Management role group, which is what I did for my Office 365 tenant.
New-ManagementRoleAssignment -Name "Import Export_Organization Management" -SecurityGroup "Organization Management" -Role "Mailbox Import Export"
You have to create a new EMS session to pick up the RBAC amendments because RBAC only evaluates a user’s permissions when EMS initializes. Once EMS is ready, I can run a command like this to remove the offending content.
Get-Mailbox –Database VIP –ResultSize Unlimited | Search-Mailbox -TargetMailbox AdminSearchMailbox -TargetFolder “Search Results” -SearchQuery {Subject:"Interesting" AND From:"Ben Andrews" AND Sent:"10/13/2014"} -DeleteContent -LogLevel Full –SearchDumpster

So there you are… A reader query that led to some interesting consideration of a very useful command and its various switches. Hopefully this will help others who struggle with similar challenges.

Follow Tony @12Knocksinna

60 responses to “Using Search-Mailbox to look for items with a specific date”

Weekly IT Newsletter – October 13-17, 2014 | Just a Lync Guy

October 18, 2014

[…] Using Search-Mailbox to look for items with a specific date – 17-Oct-2014 […]

Reply
NeWay Technologies – Weekly Newsletter #117 – October 16, 2014 | NeWay

October 18, 2014

[…] Using Search-Mailbox to look for items with a specific date – 17-Oct-2014 […]

Reply
NeWay Technologies – Weekly Newsletter #117 – October 17, 2014 | NeWay

October 18, 2014

[…] Using Search-Mailbox to look for items with a specific date – 17-Oct-2014 […]

Reply
Rich

October 28, 2014

How can you use a variable for say the subject? I’ve tried every which way but cannot get it to work when I insert a variable. It just returns nothing.
$subject =”interesting”
Get-Mailbox –Database VIP –ResultSize Unlimited | Search-Mailbox -TargetMailbox AdminSearchMailbox -TargetFolder “Search Results” -SearchQuery {Subject:”‘$subject’” AND From:”Ben Andrews” AND Sent:”10/13/2014″} -DeleteContent -LogLevel Full –SearchDumpster
.
running it without the variable returns the correct results, running it with the variable returns 0 results

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  October 28, 2014
  
  I was able to run a search using a variable with:
  
  Search-Mailbox -Id MailboxToSearch -TargetMailbox AdminSearchMailbox -TargetFolder “Search Results” -SearchQuery {Subject:$Subject -AND …}
  
  Putting the variable inside quotes stopped PowerShell resolving its value.
  
  Reply
  1. Tom
    
    December 17, 2015
    
    Saved the day, thanks!
2. Dilip
  
  February 11, 2019
  
  hi Rich,
  
  I have the same issue for $subject variable inside searchquery. Tried all permutations and combinations with single quotes, double quotes, braces etc. No luck. Did you find a solution?
  foreach ( $line in $info ) {
  Search-mailbox -id $line.RecipientAddress -SearchQuery { “Subject:$($line.Subject)” } -TargetFolder Purge -TargetMailbox **** -LogLevel Full
  }
  
  Reply
  1. Tony Redmond (“Thoughts of an Idle Mind”)
    
    February 11, 2019
    
    Try using Invoke-Command. This code worked for me:
    
    $Users = import-csv “C:\temp\people.csv”
    ForEach ($i in $Users) {
    $Search = “Subject: ” + $i.Subject
    $Command = { Search-Mailbox -Identity $i.Name -SearchQuery $Search -TargetFolder Search -TargetMailbox CServices -LogLevel Full }
    Invoke-Command -ScriptBlock $Command }
DamianD

November 27, 2014

You should really try out Lookeen (www.lookeen.com). It is a great search outlook plugin that finds everything from text passages to dates or attachments in no time. Really handy tool. There is a 14 day full version trial so just try it out.

Disclaimer: I work for the developer of Lookeen

Reply
1. Shah
  
  April 5, 2016
  
  Lookeen is more for Outlook Mail Search. Can it sear Exchange MB Databases?
  
  Reply
  1. Tony Redmond (“Thoughts of an Idle Mind”)
    
    April 5, 2016
    
    Lookeen depends on client-side indexes. If Outlook has fetched copies of items from Exchange mailboxes, they are included in the Lookeen indexes.
2. MR ARTWELL MATIZA
  
  April 29, 2023
  
  Hi Tony
  Thank you for this. Am trying to do a search for emails with 5 search terms either in the body or subject field sent between a combination of 6 users over a period of 6 months. The search result need to be a pst file. Can you please assist me with the script to use? Our environment is hybrid and we use an on prem exchange server.
  
  Reply
Steven Saporito

January 7, 2015

Tony,

Thanks for the article. Was just wondering if there’s an AQS keyword for the folder? And if so a syntax example would be killer. I’d like to use New-MailboxSearch to get estimates of items in specific folders (particularly Inbox & Sent Items) within given date ranges. Unfortunately there doesn’t seem to be an include/exclude folder parameter as there is with New-MailboxExportRequest.

Any information you can provide would be very appreciated. Thanks.

Steven

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  January 7, 2015
  
  Unfortunately Exchange doesn’t seem to support the folder, foldername, or in keywords specified at http://msdn.microsoft.com/en-us/library/aa965711(v=vs.85).aspx. That’s rather unfortunate.
  
  Reply
Sonny Sonikar

January 15, 2015

Great Article, had to use it today, works, but the date field cannot be in Quotes. You need to have Sent:01/15/2015 (Or Received:01/15/2015).

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  January 15, 2015
  
  The date field can be in quotes. I just tested it again using Exchange Online and the date element of the search worked perfectly. Perhaps it’s the version that you used. Who knows!
  
  Reply
2. Roni
  
  April 3, 2015
  
  I confirm that the date field in quotes won’t work in Exchange 2010, removing “” will do the trick.
  
  Reply
  1. Mack Hennson Altman III
    
    August 27, 2015
    
    In case others run across this post, I think it’s worth noting Exchange Online/2013 KQL instead of AQS. I am not sure if it would be the case or not, but this may be the issue. Also, I know that PowerShell 4.0 has several difference from previous versions as well.
  2. Tony Redmond (“Thoughts of an Idle Mind”)
    
    August 28, 2015
    
    Yep, Exchange 2013, SharePoint, Exchange Online, and the Compliance Center all use KQL. That’s why the query contained in the example is in KQL syntax. The older AQS syntax should be used for Exchange 2010. See https://msdn.microsoft.com/en-us/library/aa965711(v=vs.85).aspx
Using PowerShell to Remove Specific Emails | Exchange Source Book

February 2, 2015

[…] Of course, your search parameters aren’t limited to subject line alone but can include date, keywords within a message, target folder and more. […]

Reply
notesbytom

February 12, 2015

Reblogged this on Notes by Tom and commented:
I don’t usually Reblog posts, but I found this Search-Mailbox article from Tony Redmond and it’s better than what I would write myself. Enjoy!

Reply
Chen

February 27, 2015

Great. Thank you!. Any way to search for certain words in message header? Also any way to delete all messages under one folder?

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  February 27, 2015
  
  What words do you want to find in the message header?
  
  And there’s no way to limit Search-Mailbox to a particular folder. It processes everything in a mailbox… no matter what folder the items are in.
  
  Reply
  1. Chen
    
    March 2, 2015
    
    Thank you for answering! As to what I want to find in the message header – sometime the subject of the message is too broad. If I can search message header for originating server/application name then it would be more accurate. I don’t know if such parameter exists. Thanks again!
  2. Tony Redmond (“Thoughts of an Idle Mind”)
    
    March 2, 2015
    
    It doesn’t. Not as far as I know anyway…
Yaniv Schiff

April 9, 2015

Great Info Tony. I was wondering if it’s possible to run a search bassed on a Conversation ID or IntMsgID or ConversationIndex.

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  April 9, 2015
  
  I don’t think so. http://blogs.technet.com/b/quentin/archive/2014/07/30/using-search-properties-and-operators-with-ediscovery.aspx is a great source of information about what can be used in searches (for Exchange 2013; Exchange 2010 uses different operators) and I don’t see them there.
  
  Reply
James Lipinski

May 8, 2015

Is there a way to modify the mail search to look for email from a specific sender prior to a certain date?

Thanks for the info.

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  May 9, 2015
  
  What version of Exchange? With Exchange 2013 or Exchange Online you should be able to pass a date range to specify what you want. For example, -SearchQuery {Received:”01/01/2013..01/01/2015″}
  
  Reply
  1. James Lipinski
    
    May 11, 2015
    
    I think I figured it out. Here is what I was able to come up with to do the search on Exchange 2010. This will only do the search and not copy the items or delete them. I thought I would share it back. Thank you for pointing me in the right direction.
    
    Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery “from:noreply@contoso.com and Received:> $(’01/01/2014′) and Received:< $('12/31/2014')" -TargetMailbox "searchresults@contoso.com" -TargetFolder "SearchResults" -LogOnly -loglevel full
  2. Tony Redmond (“Thoughts of an Idle Mind”)
    
    May 11, 2015
    
    Great. Thanks!
btallon

June 8, 2015

We ran this Search-Mailbox -identity username@contoso.com -searchquery {(Received:> 01/01/2015 and Received:< 01/03/2015)} -DeleteContent

Unfortunately it also picks up contacts, calendars tasks and notes. Essentially everything. Is there any way to delete just email and leave the rest alone? Thanks for the article.

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  June 8, 2015
  
  What version of Exchange?
  
  Reply
  1. btallon
    
    June 8, 2015
    
    2010 Enterprise.
  2. Tony Redmond (“Thoughts of an Idle Mind”)
    
    June 8, 2015
    
    Hmmm… Exchange 2013 uses KQL, a different query language that might be able to do what you want. I’d have to do some testing to prove that… and I am on vacation right now so that’s not going to happen anytime soon!
BowDownToZod

July 14, 2015

Is it only possible to restrict the search by date? Or can we narrow the results even further by adding a time parameter? For instance, if I want to return a messages that were sent 07/01/2015 15:34. Is this possible?

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  July 14, 2015
  
  http://blogs.technet.com/b/quentin/archive/2014/07/30/using-search-properties-and-operators-with-ediscovery.aspx is a pretty good cheat sheet for what’s possible with Exchange properties. It looks as if Read and Sent dates use the day only. KQL accommodates date and specific times, but perhaps not for Exchange. I have asked the question.
  
  Reply
  1. Tony Redmond (“Thoughts of an Idle Mind”)
    
    July 14, 2015
    
    The answer is that even though KQL supports a DateTime data type for searches, the parser used by Exchange only uses the date value. So you can’t search for a specific date and time. Sorry!
Removing on-hold items from Exchange and SharePoint: unsupported but doable | WebSetNet

August 24, 2015

[…] example of the Search-Mailbox cmdlet in action is shown below. In this case, we search one mailbox to look for messages that have […]

Reply
RobM

March 23, 2016

Hi Tony. I am trying to search for the number of “Deleted Items” for a date range, in particular, the number and size of emails that were deleted more than 14 days ago. I DON’T need the information for the ‘recoverable items’, just what in the “Deleted Items” folder. I can’t seem to find anything to allow me to do this. Do you have any suggestions?

I am using a similar script on Exchange 2010 to locate number and size of “Sent” emails older than 13 months (395 days).

$today=(get-date).adddays(-395)
$users = (Get-Content C:\psscripts\CheckMailAge\valid_users.txt)

foreach ($user in $users){
write-host “Working on mailbox for ” $user
search-mailbox -identity $user -targetmailbox ‘Test User1’ -targetfolder ‘NBFCMailsent-395’ -searchquery “Sent:< $($today)" -logonly -loglevel full | select identity, displayname, database, ResultItemsCount, ResultItemsSize | ft -hidetableheaders DisplayName,Database,ResultItemsCount,ResultItemsSize | out-file -Append -NoClobber .\AllUsersSentItems-395Days.txt
}

Much appreciated!
Rob.

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  March 23, 2016
  
  I don’t think you can confine Search-Mailbox to a specific folder. However, I am doing a little research to make sure that I am right.
  
  Reply
  1. Tony Redmond (“Thoughts of an Idle Mind”)
    
    March 23, 2016
    
    I’ve confirmed that none of the Microsoft eDiscovery tools currently support a folder scope. They are considering doing something in the future, but nothing exists today. You could try doing something with Exchange Web Services (EWS) and program a search to meet your needs. https://blogs.msdn.microsoft.com/emeamsgdev/2013/06/25/powershell-search-mailbox-for-items-of-a-particular-message-class-itemclass/ provides some examples of how to use EWS in this manner.
  2. RobM
    
    March 23, 2016
    
    Thanks Tony, I appreciate your responses. I’ll see what I can do with EWS.
    
    RobM
Panzerbjrn

July 6, 2016

Great article, thanks.

Is there a way to output the results, i.e. all messages with a certain subject?
Just the good stuff like sender, recipients, subject, attachments and so on?

Thanks,
Lars

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  July 6, 2016
  
  No, the output for Search-Mailbox are the items exported to the target mailbox. There’s no way to get just a nicely formatted report. LogOnly gives you a log, but I suspect it’s not what you want…
  
  Reply
Martin Wells

August 26, 2016

Tony,

Is there anyway to seach for email with a certain MessageID instead of by subject? Thanks for the great article btw!

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  August 27, 2016
  
  Sorry. I don’t think the message identifier can be used for searching. See https://msdn.microsoft.com/library/ee558911(v=office.15).aspx#kql_property_restriction_queries and (even better) https://blogs.technet.microsoft.com/quentin/2014/07/30/using-search-properties-and-operators-with-ediscovery/
  
  Reply
Ken

October 20, 2016

Tony,

I need to search mailboxes for emails with a specific subject, and a from address but I only want to use the domain, not the email address for the from value. Is this possible?

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  October 20, 2016
  
  Try a search query like ‘(Subject: “Some text”) AND (From: “*gmail.com”)’. I just tested it here and that syntax works against Exchange Online. It should also work against Exchange 2013 and Exchange 2016.
  
  Reply
PowerMapi

January 18, 2017

For those that find themselves on this thread and still get tripped up on this, there’s a better alternative now: PowerMapi (http://powermapi.com/cmdlets).

PowerMapi is a .NET compiled powershell module that provides direct access to MAPI.
For example, to get the results requested by the title of this post with PowerMapi:

import-module PowerMapiLoader
$sess=new-MapiSession OutlookProfileName
$inbox=get-MapiFolder $sess Inbox
$found=search-MapiItems $inbox “PR_SUBJECT -has redmond -and PR_MESSAGE_DELIVERY_TIME -btw 12/1/2016::1/1/2017”

In the above, which is hopefully simple to understand, the -btw operator is ‘between’. The search feature in PowerMapi is a “brute force” search meaning that it is not based on the limitations of MAPI’s ‘restriction’ structures (for those MAPI devs out there :). This means that the list of operators and how it works is more flexible and feature rich, including Regular Expression matching, courtesy of the .NET framework!
So, it’s possible to do something like: search-MapiItems $inbox “PR_SUBJECT -match regex pattern goes here -and attach(PR_ATTACH_FILENAME -match regex pattern here also)”
This will search for subjects AND attachment names!

Reply
1. Courtney Piratzky
  
  September 5, 2017
  
  YES!! Can this tool take action on items in the folder “Top of Information Store” and be done by an admin as opposed to MFCMapi requiring a profile using the user creds? I’m wanting to move items out of “Top of Information Store” and into an actual folder.
  
  Reply
  1. PowerMapi
    
    September 9, 2017
    
    It’s possible, but it is mapi and still requires a profile.
    The key to this is permissions up front. if you create a new user account in the domain/environment and either give it full access permission to all the mailboxes you want to open, or give this account Receive-As (and possibly Administer Information Store for system privilege) to the database(s) of the mailboxes, you can open the mailboxes you want from a single profile.
    
    this would be done by the Open-MapiExchangeMailbox cmdlet.
    
    once you get the reference to a user’s mailbox store, you can get the IPM_Subtree (aka “Top of Information Store”) quite easily and then get to any contents.
dixonjaimy@sbcglobal.net

January 19, 2017

How do you stop a search-mailbox -deletecontent command from running if someone used the -force parameter?

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  January 22, 2017
  
  CTRL/C or terminate the PowerShell session?
  
  Reply
Sandy Wood

February 3, 2017

We’re looking to search for specific strings like CI or SP but all our testing has shown that eDiscovery on Exchange 2013 returns everything with ci or sp in it. Has anyone grappled with this and found a solution?

Reply
Using Different Queries When Processing Multiple Mailboxes with Search-Mailbox – Office 365 for IT Pros

February 12, 2019

[…] A reader query asked how to run the Search-Mailbox cmdlet against a set of mailboxes when you need to execute a different search against each mailbox. It’s easy to run a search against multiple mailboxes with the same search query, but things get complicated when you try to change the query each time. The Search-Mailbox cmdlet is a powerful way to search and remove items from multiple mailboxes, but many people seemed to encounter problems when using a variable with searches (see the comments on this post). […]

Reply
Michelangelo

May 3, 2019

If I have a list of recipients, let´s say Mailx.txt I usually were doing a Get-Content Mails.txt | Search-Mailbox …….

now I do not why but the cmdlet runs and only runs the search on the last user of the mails.txt. How do I do to make the search to run on each of the addresses in that Mails.txt

Reply
1. Tony Redmond (“Thoughts of an Idle Mind”)
  
  May 3, 2019
  
  $Contents = Get-Content Contents.txt
  Foreach ($C in $Contents) {Write-Host “Now Processing” $C}
  
  (Substitute the Search-Mailbox command for the Write-Host command shown in the example)
  
  Reply
Owen Frederick

August 31, 2021

Tony,
I’m just an average user, and I’m trying to search my mailbox for emails sent to John Doe, or Jane Doe, or Jim Doe, but no one else. The problem I’m running into is excluding emails which are to one of those individuals, but also include anyone else.

(to:(”Doe, John” OR ”Doe, Jane” OR “Doe, Jim”) AND (NOT( NOT to:(”Doe, John” OR ”Doe, Jane” OR “Doe, Jim”))

Any help you can offer would be appreciated.

Reply
具有多个短语的Exchange 2013电子邮件搜索 – 实战宝典

December 24, 2021

[…] Using Search-Mailbox to look for items with a specific date […]

Reply