Exchange 2010 Discovery Searches: What about users who leave?

Exchange 2010 Discovery Searches: What about users who leave?

As you probably know, Microsoft has made quite a big fuss about the compliance features that they have incorporated into Exchange 2010 and extended further in Exchange 2013. It’s fair to acknowledge the progress that has been made in this area through the addition of features such as archive mailboxes, retention policies and tags, litigation and retention hold, enhancements to the Recoverable Items folder (aka the “dumpster”), and the provision of a discovery search capability. All good stuff!

Of course, shipping features is one thing. Discovering (no pun intended) how those features work in production is quite another. No amount of testing exposes software to the slings and arrows of outrageous users and this is true of discovery searches.

For example, some time ago  the Exchange blog described a limitation that exists in discovery searches that constrains a search on an Exchange 2010 server to a maximum of 25,000 mailboxes. It does not surprise me that such a limitation exists and 25,000 seems like a reasonable number of mailboxes to be able to search at any one time. After all, if you allowed searches to occur against a limitless number of mailboxes, you might end up in a situation where administrators made mistakes and launched such a search and brought a server to its knees by either exhausting available memory or exceeding available disk space on the drive that holds the database containing the discovery search mailbox. Each mailbox that must be searched absorbs some memory, CPU, and disk cycles on the server that hosts the mailbox and the server that hosts the discovery search mailbox and then there’s the small matter of network bandwidth used to transport items that match the search criteria to the server that hosts the discovery search mailbox. Exchange 2013 takes a different approach to resource consumption for searches because it uses throttling instead. However, it's all very logical.

A small but important fact that might have escaped you is that discovery searches don’t interrogate disconnected mailboxes. These are mailboxes that don’t really belong to any user because they are not connected to an Active Directory user object and are usually the result of deleting or disabling a user mailbox, both actions that break the connection between Active Directory and the mailbox by removing the attributes in Active Directory that allow Exchange to know how to find the right mailbox for a user or by blowing away the Active Directory object. Mailboxes like this remain in a database until they age out and are removed by the Managed Folder Assistant. Typically, the retention period for disconnected mailboxes is 30 days.

The point here is that many companies have operational procedures to manage the data of employees after they leave. Often these processes involve mailboxes being deleted or disabled. The same process might be used for employees who resign, terminated, or leave for another reason (death or retirement). Different steps might be taken for employees who have significant responsibilities or who are closely connected to intellectual property. In any case, once you delete a mailbox and the mailbox moves into a disconnected state waiting for its final removal, the contents of that mailbox become invisible to discovery searches. This is true for the standard Exchange search functionality and might be different for other compliance software. It’s certainly something to check.

Removing disconnected mailboxes from the scope of discovery searches is probably not a good thing in the eyes of the legal fraternity as it creates the uncomfortable scenario that items required by a discovery action that are strictly speaking under the control of and available to the company now cannot be found by a discovery search. Thus, the company might responsible to a discovery request with incorrect information and therefore expose itself to legal sanction, depending on the requirements of the jurisdiction under which the legal action is taken.

If you have bought into the compliance features of Exchange, it’s a good thing to review the processes that are used to deal with information associated users who leave the company to ensure that your legal team is happy that it is able to respond to discovery requests in an appropriate manner. Some change might be required, such as keeping the Active Directory account for users who leave around for a longer period (for example, the email address can be changed, the mailbox hidden from the GAL, and blocked from receiving new email). In fact. Microsoft recently announced a similar solution for Office 365 deployments with "inactive mailboxes" where in-place holds (a feature of Exchange 2013) are used to keep mailboxes around after their users have departed.

All of this is another example of how the devil is in the detail of implementation of technology in real-world environments that reminds us once again that the pretty words of marketing spoken when new products are launched have to be interpreted in the cold light of day once you have installed the software.

Follow Tony @12Knocksinna 

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.