When trying to delete a particular email from all email boxes it became a difficult chore in figuring out the correct syntax. I am posting this in case anyone else runs into this issue when trying to delete a specific email by identifying both a subject keyword and a body keyword.
I have noticed that the command syntax can vary greatly depending upon what CU is applied. These commands were run on an Exchange 2013 SP1 with CU13 installed.
Be sure to thoroughly use the logging feature as it does not delete any emails and will let you know what the variables and keywords have found. It will give you a heads up of what would be delete if the same keywords were used.
- Open up the Exchange 2013 Command Shell
- I recommend you utilize a dedicated mailbox for the logging part, this will allow that mailbox to store the output of what is discovered in the search without delete command. This allows you to review the contents prior to deletion.
- Running the following command will search for all emails containing the subject “confidential” and the body word “doe”. Another way to put this is that all emails that contain both “confidential” and “doe” will be discovered. If an email message is missing the body word “doe” it will not be discovered.
description of the variables
Exchange Server Computer Name = exchange1
Subject Keyword we are searching for = confidential
Body Keyword we are searching for = doe
Dedicated Mailbox for the logs = DumpsterBox
The Folder to which the log files should be stored (if the folder does not exist it will be created) = DumpsterLog
Get-Mailbox -Server "exchange1" | Search-Mailbox -SearchQuery {Subject:"*confidential*" AND Body:"*doe*"} -targetmailbox "DumpsterBox" -targetfolder "DumpsterLog" -logonly -loglevel full4. After you run the command and email will be sent to the targetmailbox you specified. In our case our mailbox is called “DumpsterBox” inside of this mailbox.
A1. “Search Results.csv.zip” contains a detailed listing of all the emails discovered in the search
A2. Displays the number of emails found that contains the keywords you searched for\
A3. The query returned as shown
A4. This shows the amount of email boxes searched. This is not how many messages were found.
5. Once you are happy with the results in the log output it is then time to delete the emails. Running the command below will delete ALL emails that contain the subject “confidential” and must also contain the body key word “doe”
Get-Mailbox -Server "exchange1" | Search-Mailbox -SearchQuery {Subject:"*confidential*" AND Body:"*doe*"} -DeleteContent6. Once the command is run give it a few moments it will prompt you to either delete the email message 1 by 1 or all at once. Once the command is running let it run. Depending upon the size and the amount of mailboxes to be searched and the content to be deleted it could take some time. Additionally if anyone in the organization is using PSTs or locally cached email the email boxes may not refresh until a few minutes after the -deletecontent is fully finished.