Recover Deleted Messages

Exchange 2010 now allows you to recover messages that users have purged from their mailboxes. This is what happens when a user deletes a message:

1. User deletes a message.
2. The message moves to a 'Deleted Items' folder. At this point the user can see the deleted messages and can move the deleted message back to the inbox. This is known as a 'soft delete'. Messages can also be moved to the 'dumpster' by emptying the deleted items folder.This is a 'hard delete'.
3. Message moves to the 'Dumpster'. This removes the message from view. Deleted item retention is 14 days by default. Users can still recover items by using the recover deleted items tool (right click deleted items in OWA and select 'recover deleted items')
4. If the end user purges data from the "Recover Deleted Items" view (hard delete from the Recoverable Items\Deletions folder), the item will be moved to the Recoverable Items\Purges folder. The purges folder is a special folder that sits within the dumpster. The user will not be able to see the deleted message from this folder. However administrators granted the rights to perform 'discovery searches' can search through the purges folder and restore deleted items.

Discovery Searches

• Perform a discovery search for the item you need to restore. This first involves navigating a browser to https://servername/ecp. This is on the CAS role (ecp is the exchange control panel). Logon as the administrator for example. By default this account does NOT have the permission to run a discovery search.
• Next to 'Select what to manage' select 'my organization' and select 'reporting'
• You will probably see 'delivery reports' only. You require searching mailboxes. As mentioned you dont have the permissions to do this.
• Select 'Users and Groups' and then 'Administrator Roles'
• Select and double click 'Discovery Management'
• Add the Administrator account and click save
• You will have to log out and back in again but under reporting you will see 'Mailboxes Searches'. Select this.
• Select 'New'. As you can see there are a number of search methods. Select mailbox to search and select the user mailbox that has purged deleted items.
• Provide a search name
• Select 'Select a mailbox in which to store the search results' and choose the 'Discovery Search Mailbox' and click save.
• After the search has completed (you may have to refresh) select the link that says open by the results output on the right hand side.
• If you cant open the discovery search mailbox, you will need to grant the administrator access to it by typing in the following:

[PS] Add-MailboxPermission DiscoverySearchMailbox -User administrator -AccessRights FullAccess
NB. I changed the alias of the mailbox to this simpler name

• You should now be able to open the discovery search mailbox. Once opened, navigate on the left to the search name and open the sent\deleted items folder. You should be able to find the item that was purged.
• Create a new folder in the discovery search mailbox. This could be called Andrew's recovered mail for example. Drag the purged item into this folder
• Open the shell and type the following:

[PS] Export-Mailbox DiscoverySearchMailbox -IncludeFolders "Andrews Recovered Mail"  -TargetMailbox
Andrew -TargetFolder "Recovered Mail"

Andrews mail should now be restored in his mailbox in a folder called Recovered Mail. You could also forward the message to Andrew instead of exporting.