When an organization is in the midst of a legal
battle, it's vital that they be able to capture and produce important
information quickly. Exchange helps in this area by providing new ways
to ensure that messages cannot be modified or deleted. Exchange also
provides a new discovery capability, which allows multiple mailboxes to
be searched for information. This section discusses how to implement and
use these features.
1. Perform Search and Discovery of Email
Exchange Server 2010 has
introduced the concept of email discovery. With email discovery,
multiple mailboxes can be searched for items that contain keywords.
Discovery searches are restricted to people who have explicit
permissions. When used in conjunction with litigation holds (discussed
later in this section), discovery can uncover messages that users
deleted and restore the original versions of messages users have
modified.
Discovery searches are
performed using the Exchange Control Panel (ECP), which is a web service
that is accessible through Client Access servers in a similar manner as
Outlook Web App (OWA). In this section, you'll learn how to use
discovery searches.
1.1. Create a New Discovery Search
When you create a
discovery search, you define the parameters that are used for searching
across mailboxes. You can specify multiple keywords as well as
parameters such as OR and AND.
After you create a discovery search, it is available for other people
with discovery permissions to view, modify, and rerun. Use the following
steps to create a discovery search:
Open
a web browser and navigate to the ECP URL on one of your Client Access
servers. The ECP is hosted on Client Access servers in a similar manner
to how OWA is hosted. A Client Access server that can be used for OWA
can also likely be used for ECP as well. For example, the ECP URL on an
internal Client Access server in Contoso may be https://contoso-cas1/ecp. If there is an Internet-facing server, the URL could be https://mail.contoso.com/ecp.
Log
into the web interface with an account that has access to create and
execute discovery searches.
After you are logged into the ECP, ensure that My Organization is selected in the drop-down list in the upper left, as shown in Figure 1. If you don't see this drop-down list, that means you don't have permission to perform discovery searches.
In the list of categories on the left side of the ECP, select Reporting.
In the list of tabs along the top of the Reporting interface, select the Mailbox Searches tab, as shown in Figure 2.
This
is your primary interface for creating and executing discovery
searches. To create a new search, click the New button in the
Multi-Mailbox Search tool.
The
New Mailbox Search dialog box opens. If you get a certificate error,
you may still be using an untrusted self-signed certificate. Click the
option Continue To This Website.
In the New Mailbox Search dialog box, under the Keywords category, enter the keywords that you want to search for, as shown in Figure 3.
To search for messages to or from specific users, click the category Messages To And From Specific E-Mail Addresses.
Click the Date Range category to select the range of dates that you want to search in.
Select
the category Mailboxes To Search. You can choose the option Search All
Mailboxes, or you can add specific mailboxes to the list by clicking the
Add button.
Click
the Search Name And Storage Location category. In the Search Name
field, type a name for this search. When naming your search, remember
that other users with discovery search permission can also execute this
search, so make it as descriptive as you need it to be.
In
the field Select A Mailbox In Which To Store The Search Results, click
the Browse button and choose the discovery mailbox that the results will
be stored in.
You
can also check the box Send Me An E-Mail When The Search Is Done.
Searches may take a long time to complete if many mailboxes are
involved. If you select this box, you will receive an email notification
when the search is complete.
When you have finished filling out the search options, click the Save button, as shown in Figure 4.
1.2. Rerun a Discovery Search
After you create a
discovery search, the search is executed and the results are stored in
the discovery mailbox that you designated. You can rerun this search at
any time to refresh the results. When you rerun the search, the items
that are already in the discovery mailbox are deleted and the new search
results are populated instead.
To rerun a discovery search, use the following steps:
After
logging into the web application, you will be taken to the ECP page for
your organization. Ensure that My Organization is selected from the
drop-down list in the upper left. If this list isn't present, that means
you don't have permissions to perform discovery searches.
In the category list on the left side of the ECP, select Reporting.
In
the list of tabs in the Reporting category, select the Mailbox Searches
tab. This tab is only available if you have permissions to perform
discovery searches.
Every
search is listed in the Multi-Mailbox Search tool. If you click on a
search, you can view information about the search, including the last
time that the search was run, as shown in Figure 5.
To rerun the search, select the search that you want to rerun and click the Restart Search icon, which is highlighted in Figure 6.
You
may be prompted with a warning that says the existing search results
will be removed from the discovery mailbox. This is expected if the
mailbox holds results from a previous search. Click the Yes button to
continue.
1.3. View the Results of a Discovery Search
When a discovery search is
executed, the emails that are included in the search result list are
copied to a discovery mailbox that you specified when you set up the
search. The discovery mailbox is a resource mailbox, which has no
specific owner. Only people who have permissions to the discovery
mailbox can view the results of the search.
You can view the results
of the discovery search by clicking the Open link in the properties pane
next to the discovery search. This is illustrated in Figure 7.
When you click the Open link,
the discovery mailbox will be opened in OWA for you to view just like
any other regular mailbox. The search results are stored in the mailbox
under a folder with the same name as the search you created. If you open
this folder, you will notice that each mailbox that had messages
discovered by the search is listed as a separate folder. Inside these
mailbox folders, the folder hierarchies are maintained, as shown in Figure 8. Preserving the folder hierarchy is sometimes useful in a court case.
One thing you will notice
in the example is a folder called Recoverable Items. This folder
contains the messages that the user deleted.
|
The discovery search
doesn't just search against the mail in a user's mailbox; it also
searches against the user's archive. When messages are in PST files,
they are not searched, but if you require users to move their data from
PSTs to their online archive, you then will have this data to search
across as well.
|
|
1.4. Create a Discovery Mailbox
By default, one discovery
mailbox is created when Exchange is installed. You can create additional
discovery mailboxes that store results for different searches. You can
then give different people permissions to those specific discovery
mailboxes. For example, a lawyer may want to create a search and store
the results in a mailbox that a paralegal has access to. In this case,
the lawyer can maintain access to create and run the searches, while the
paralegal can only view the results.
To create a discovery mailbox,
you must use the EMS. Run the New-Mailbox cmdlet with the Discovery
parameter. The following command creates a new discovery mailbox:
New-Mailbox "Discovery Mailbox - Insider Trading"
-UserPrincipalName discovery1@contoso.com -Discovery
1.5. Allow People to Search Mailboxes
You can give users
access to create and execute searches using the ECP or the EMS. To give a
user the ability to search mailboxes, you must delegate that user to
the Discovery Management role. If you want users to be able to view the
results of the search, they need full access to the discovery mailbox in
which the search results are stored.
1.5.1. Delegate Discovery Management in the ECP
To delegate the Discovery Management role in the ECP, use the following steps:
After
logging into the web application, you will be taken to the ECP page for
your organization. Ensure that My Organization is selected from the
drop-down list in the upper left. If this list isn't present, that means
you don't have permission to delegate the Discovery Management role to
other users.
In the category list on the left side of the ECP, select Users & Groups.
In
the list of tabs in the Users & Groups category, select the
Administrator Roles tab. These tabs are only available if you have the
permission to delegate roles.
In the list of Role Groups, select the Discovery Management role group and click the Details button, as shown in Figure 9.
In
the Role Group dialog box, click the Add button under the Members
section. In the Select Members dialog box, double-click the users to
whom you want to give Discovery Management permissions and click OK.
After you have added people to the list, click the Save button. This is
shown in Figure 10.
1.5.2. Delegate Discovery Management in the EMS
You can also give users the right to perform discovery searches by using the Add-RoleGroupMember
cmdlet in the EMS. You will need to specify the user that you are
adding to the role. The following example illustrates this command:
Add-RoleGroupMember "Discovery Management" -Member
"Nora Shea"
If you want to see who else has discovery management permissions, run the following EMS command:
Get-RoleGroupMember "Discovery Management"
2. Add Disclaimers and Ensure Message Integrity
Exchange Server 2010
provides many features that help your organization protect its
information. Two of these features are automatic disclaimers and
litigation hold. Disclaimers are not guaranteed to protect you in a
lawsuit, but they may help in making you exempt from liabilities.
Litigation hold helps to preserve data and ensure that it hasn't been
tampered with by users. This section walks you through the process of
setting up disclaimers and putting mailboxes on litigation hold.
2.1. Add Automatic Disclaimers to Messages
A disclaimer is a statement
that you can add at the end of email messages that recipients can view.
These are usually legal statements that are required to be on messages
for compliance reasons. Many organizations attach disclaimers to
messages going outside the organization. The following is a sample of a
disclaimer:
This message is intended
only for the parties that are addressed as recipients. This message may
contain confidential information that is legally protected. Any
unauthorized use, distribution, or modification is strictly prohibited.
Disclaimers are stamped on
messages by Transport servers. To set up a disclaimer, you must create a
new transport rule.
Use the following steps to append a disclaimer to all messages in your organization:
Open the EMC and browse to the Organization Configuration => Hub Transport node in the Console tree.
In the Actions pane, click the New Transport Rule task. This will launch the New Transport Rule wizard.
In the Introduction screen, type a name such as Disclaimer in the Name field. Click Next to continue.
This
disclaimer will apply to all messages, so in the Conditions screen, do
not select anything. Click Next and you will then be prompted with a
dialog box informing you that this disclaimer will apply to all messages
sent. Click Yes to continue.
On the Actions screen, select the action Append Disclaimer Text And Fallback To Action If Unable To Apply.
In
the rule description text box below the selected action, click the
blue, underlined text that reads disclaimer text. The Specify Disclaimer
Text dialog box appears, allowing you to type your disclaimer.
After
you have typed your disclaimer, click OK to return to the wizard. The
Actions dialog box should now be configured in a way that is similar to Figure 11.
Click the Next button to continue.
At the Exceptions screen, ensure that no exceptions are selected and click Next.
On the Create Rule screen, click New to create the rule.
On the Completion screen, click Finish to complete the process and close the wizard.
2.2. Place a Litigation Hold on a Mailbox
In Exchange Server 2010, you
have the ability to place a litigation hold on a mailbox. While a
mailbox is in litigation hold, all deleted and edited items are
preserved and will be included in discovery searches. Litigation hold is likely to be used by
organizations during a lawsuit or an investigation. The mailboxes of
people involved can be placed on hold, preserving all the data.
When a mailbox is on hold, the
deleted and edited items are placed in hidden folders. There is no
apparent impact on the users, and the users on hold will not even be
aware of it unless they are notified.
To place a mailbox in
litigation hold, you can use the Set-Mailbox cmdlet in the EMS. Set the
LitigationHoldEnabled parameter to $true to turn litigation hold on. The
following example shows how to place a mailbox on litigation hold:
Set-Mailbox "John Smith" -LitigationHoldEnabled
