It’s always good to get questions and comments after an article appears, if only to prove that someone’s reading the material out there on the InterWeb. I was happy to receive some comments after my “Search and Destroy” article that covers the basics of Exchange 2010’s ability to search for and (optionally) remove messages in user mailboxes.
Hopefully you won’t have to remove messages too often because users don’t typically respond too well to this kind of administrative intervention. That is, of course, if they notice that anything has been deleted! But if you do, it’s good to have solid tools to interrogate mailboxes for offending content and then purge it from the server. I presume the content to be offending in some respect as otherwise it would seem strange to search Exchange for it.
One question that came up is about the AQS syntax used by Exchange to frame search queries (as described in this post, Microsoft changes the syntax used by Exchange 2013 to KQL). Microsoft documents the AQS syntax in MSDN and a couple of examples to help start the ball rolling can be found in the help for the Search-Mailbox cmdlet. The examples are intended to get your creative juices going and it will probably take some trial and error before you settle on the best query for your purposes.
But sometimes you run into a limitation that isn’t covered too well in product documentation. Reading about Search-Mailbox, we find that “The SearchQuery parameter specifies a search string or a query formatted using Advanced Query Syntax (AQS).” This implies that any one of the AQS terms can be used with Search-Mailbox, but that’s not the case and it disappointed one of my readers, who wanted to search mailboxes for a particular PowerPoint deck that had been sent out in error.
Looking through the AQS documentation, we find a section called “Common File Types” that seems to match our need as presentations is listed as one of the supported file types. Thus, we should be able to issue a command to find the required deck that looks something like this:
Search-Mailbox –SearchQuery ‘kind:presentations AND subject “Important New Stuff”’
Alas, Exchange returns an error to remind us to check that the email type is supported, meaning that Exchange supports some but not all of the available AQS search terms.
But what is actually supported? Poking around some more into TechNet, we find the answer in the help for the New-MailboxSearch cmdlet. Here we find that a structure called Microsoft.Exchange.Data.Search.AqsParser.KindKeyword controls the values that can be input for that cmdlet’s MessageTypes parameter. It seems reasonable to assume that the same values are used for Search-Mailbox as well. Reading on, we learn that:
The MessageTypes parameter specifies the message types to include in the search. Valid values can be one or more of the following:
If not specified, all message types are included.
Our answer is now clear. We can specify the kind of information we want to search for, but when we’re searching Exchange, even though you can store just about any type of file in a mailbox, you can only search using a restricted set of Exchange item types.The same restriction applies in Exchange 2010, Exchange 2013, and Exchange Online (Office 365). Thinking about it, the restriction makes sense and it’s just a pity that the documentation is just a little misleading.
But that’s why I guess companies pay big bucks to IT people so that we can make sense of this stuff.
Follow Tony @12Knocksinna