Items sent to external and internal recipients cannot be found with "NOT recipients" by eDiscovery in Exchange 2013

Symptoms
Assume that you create an In-Place eDiscovery search in Exchange Admin Center (EAC) to return items that are sent to external recipients by specifying the NOT recipients:"internalDomain" criteria in the search. In this situation, the search syntax returns items that are sent to only external recipients, but excludes items that have internal and external recipients.
Cause
This issue occurs because eDiscovery uses Keyword Query Language (KQL) that uses the Boolean logic. Therefore, the NOT recipients:"internalDomain" excludes all items that contain an internal recipient, even the items that also have an external recipient.

Note The current design does not provide a more refined functionality through the EAC.
Workaround
To work around this issue, you can use one of the following methods.

Method 1: Use EWSEditor

A free-ware EWSEditor application is available to work around this issue. There is an eDiscovery window which can be used to search for items.

Note You have to set up the account being used to have the Audit RBAC role to do these searches.

Method 2: Use a different API

Use a different API that does not rely on KQL. You have to build a custom solution by using other programs, such as Exchange Web Services (EWS). The solution can retrieve some parts of the data (a bigger dataset). The solution can further process the received result by using external logic to arrive at the desired set of messages that match the NOT recipients:"internalDomain" criteria as you would interpret it.
Also, for identification of such messages going forward, a better solution would be to use a transport rule that could send copies of such items (internal and external recipients) to an auditing mailbox.

The following is a sample code to work around this issue by using EWS Managed API.

Note In this code sample, replace InternalDomain1.com, InternalDomain2.com, InternalDomain3.com with your internal domain name. This placeholder appears in three locations in the code. 

Code sample

<#AQS search using EWS Managed APIUSAGE: .\Search-Mailbox.ps1 -MailboxName mbx@domain.com -AqsString "(""Test"")"#> [CmdletBinding()]param ( [Parameter(Position=0,Mandatory=$True,HelpMessage="Mailbox SMTP format")] [ValidateNotNullOrEmpty()] [string]$MailboxName,  [Parameter(Position=1,Mandatory=$True,HelpMessage="AQS QueryString")] [ValidateNotNullOrEmpty()] [string]$AqsString )######################################################################## Update EWS DLL Folder,$domain, $account, $pwd and $exserver Values########################################################################$resultFL = "C:\Scripts\Result"$domain = "SEARCH"$account = "MailboxSearch@domain.com";$pwd = '123'$exServer = "exch01search.net"$EWSManagedApiPath = "C:\scripts\Microsoft.Exchange.WebServices.dll"########################################################################$LogFile_All = "$($resultFL)\$($Mailboxname)_All.txt"$LogFile_Filtr = "$($resultFL)\$($Mailboxname)_Filtered.txt"$LogFile_Itype = "$($resultFL)\$($Mailboxname)_ItemTypes.txt"$StopWatch = New-Object system.Diagnostics.Stopwatch$StopWatch.Start()Add-Type -Path $EWSManagedApiPath$service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP2)$service.Credentials= new-object Microsoft.Exchange.WebServices.Data.WebCredentials($account,$pwd,$domain)$service.UseDefaultCredentials = $false$UseAutoDiscover = $false$service.Url = new-object uri("https://domain.com/EWS/Exchange.asmx")$ImpersonatedUserId = new-object Microsoft.Exchange.WebServices.Data.ImpersonatedUserId([Microsoft.Exchange.WebServices.Data.ConnectingIdType]::SmtpAddress,$MailboxName);$service.ImpersonatedUserId = $ImpersonatedUserId#Define Extended properties$PR_Folder_Path= new-object Microsoft.Exchange.WebServices.Data.ExtendedPropertyDefinition(26293, [Microsoft.Exchange.WebServices.Data.MapiPropertyType]::String);$PR_FOLDER_TYPE = new-object Microsoft.Exchange.WebServices.Data.ExtendedPropertyDefinition(13825,[Microsoft.Exchange.WebServices.Data.MapiPropertyType]::Integer);$folderidcnt = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::MsgFolderRoot,$MailboxName)#Define the FolderView used for Export should not be any larger then 1000 folders due to throttling$fvFolderView =  New-Object Microsoft.Exchange.WebServices.Data.FolderView(1000)#Deep Transval will ensure all folders in the search path are returned$fvFolderView.Traversal = [Microsoft.Exchange.WebServices.Data.FolderTraversal]::Deep;$pSchPropSet= new-object Microsoft.Exchange.WebServices.Data.PropertySet([Microsoft.Exchange.WebServices.Data.BasePropertySet]::FirstClassProperties)$pSchPropSet.Add($PR_Folder_Path)$fvFolderView.PropertySet = $pSchPropSet#The Search filter will exclude any Search Folders$sfSearchFilter = new-object Microsoft.Exchange.WebServices.Data.SearchFilter+IsEqualTo($PR_FOLDER_TYPE,"1")$fiResult = $null$MsgPropSet = New-Object Microsoft.Exchange.WebServices.Data.PropertySet$MsgPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::Id)$MsgPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::ParentFolderId)$MsgPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::ItemClass)$MsgPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::Subject)$MsgPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::DateTimeSent)$MsgPropSet.Add([Microsoft.Exchange.WebServices.Data.EmailMessageSchema]::Sender)$MsgPropSet.Add([Microsoft.Exchange.WebServices.Data.EmailMessageSchema]::ToRecipients)$MsgPropSet.Add([Microsoft.Exchange.WebServices.Data.EmailMessageSchema]::ccRecipients)$MsgPropSet.Add([Microsoft.Exchange.WebServices.Data.EmailMessageSchema]::BccRecipients)$AptPropSet = New-Object Microsoft.Exchange.WebServices.Data.PropertySet$AptPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::Id)$AptPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::ParentFolderId)$AptPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::ItemClass)$AptPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::Subject)$AptPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::DateTimeSent)$AptPropSet.Add([Microsoft.Exchange.WebServices.Data.AppointmentSchema]::Organizer)$AptPropSet.Add([Microsoft.Exchange.WebServices.Data.AppointmentSchema]::RequiredAttendees)$AptPropSet.Add([Microsoft.Exchange.WebServices.Data.AppointmentSchema]::OptionalAttendees)$SchPropSet = New-Object Microsoft.Exchange.WebServices.Data.PropertySet$SchPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::Id)$SchPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::ParentFolderId)$SchPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::ItemClass)$SchPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::Subject)$SchPropSet.Add([Microsoft.Exchange.WebServices.Data.ItemSchema]::DateTimeSent)$SchPropSet.Add([Microsoft.Exchange.WebServices.Data.MeetingRequestSchema]::Organizer)$SchPropSet.Add([Microsoft.Exchange.WebServices.Data.MeetingRequestSchema]::RequiredAttendees)$SchPropSet.Add([Microsoft.Exchange.WebServices.Data.MeetingRequestSchema]::OptionalAttendees)#Write-host "Checking Mailbox: $($MailboxName)"#Write-host "Searching QueryString: $($AqsString)"#The Do loop will handle any paging that is required if there are more the 1000 folders in a mailbox$ic=0$fic=0do {    $fiResult = $Service.FindFolders($folderidcnt,$sfSearchFilter,$fvFolderView)    #$fiResult.Folders.Count    foreach($ffFolder in $fiResult.Folders){       # "Processing : " + $ffFolder.displayName       $fpath =  $ffFolder.ExtendedProperties[0].Value        $fic++       $fiItems = $null       $ItemView = New-Object Microsoft.Exchange.WebServices.Data.ItemView(1000)       do{         Write-Progress -Activity "Processing $($MailboxName) - QueryString $($AqsString)" -Status $ffFolder.DisplayName -PercentComplete ($fic/$fiResult.Folders.Count*100)   $fiItems = $ffFolder.findItems($AqsString,$ItemView)         $ic = $ic + $fiItems.items.count         $ItemView.offset += $fiItems.Items.Count   foreach($Item in $fiItems.Items){            $itype = "$($item.ItemClass)`t$($Item.id.UniqueId)"            Add-content -Value $itype -Path $LogFile_Itype            $result=""            switch ($item.ItemClass)            {                "IPM.Note" {                            $Item.Load($MsgPropSet)                            $MT = @() # Create a MAPITABLE to filter external Domains                            $eRecipients=""                            $result = "$($mailboxname)`t$($fpath)`t$($Item.Sender.Name)`t$($Item.DateTimeSent)`t$($Item.Subject)`t$($Item.id.UniqueId)`t$($item.ItemClass)"                            Add-content -Value $result -Path $LogFile_All                            $item.ToRecipients | %{If($_.RoutingType -ne "EX"){$mt+=$_.Address}}                            $item.ccRecipients | %{If($_.RoutingType -ne "EX"){$mt+=$_.Address}}                            $item.BccRecipients | %{If($_.RoutingType -ne "EX"){$mt+=$_.Address}}                            $er=@()<#Replace InternalDomain1.com, InternalDomain2.com, InternalDomain3.com with your internal domain name.#>                            $mt | %{if($_ -notmatch 'InternalDomain1.com|InternalDomain2.com|InternalDomain3.com'){                                        $eRecipients = $true                                        $er +=$_                                        }                                    }                            }                                 "IPM.Appointment" {                            $Item.Load($AptPropSet)                            $MT = @() # Create a MAPITABLE to filter external Domains                            $eRecipients=""                            $result = "$($mailboxname)`t$($fpath)`t$($Item.Organizer.Name)`t$($Item.DateTimeSent)`t$($Item.Subject)`t$($Item.id.UniqueId)`t$($item.ItemClass)"                            Add-content -Value $result -Path $LogFile_All                            $item.RequiredAttendees | %{If($_.RoutingType -ne "EX"){$mt+=$_.Address}}                            $item.OptionalAttendees | %{If($_.RoutingType -ne "EX"){$mt+=$_.Address}}                            $er=@() <#Replace InternalDomain1.com, InternalDomain2.com, and InternalDomain3.com with your internal domain name.#>                            $mt | %{if($_ -notmatch 'InternalDomain1.com|InternalDomain2.com|InternalDomain3.com'){                                        $eRecipients = $true                                        $er +=$_                                        }                                    }                                                       }                                                    "IPM.Schedule.Meeting.Request" {                            $Item.Load($SchPropSet)                            $MT = @() # Create a MAPITABLE to filter external Domains                            $eRecipients=""                            $result = "$($mailboxname)`t$($fpath)`t$($Item.Organizer.Name)`t$($Item.DateTimeSent)`t$($Item.Subject)`t$($Item.id.UniqueId)`t$($item.ItemClass)"                            Add-content -Value $result -Path $LogFile_All                            $item.RequiredAttendees | %{If($_.RoutingType -ne "EX"){$mt+=$_.Address}}                            $item.OptionalAttendees | %{If($_.RoutingType -ne "EX"){$mt+=$_.Address}}                            $er=@()<#Replace InternalDomain1.com, InternalDomain2.com, InternalDomain3.com with your internal domain.#>                            $mt | %{if($_ -notmatch 'InternalDomain1.com|InternalDomain2.com|InternalDomain3.com'){                                        $eRecipients = $true                                        $er +=$_                                        }                                    }                            }                   Default {$eRecipients="";$result=""}             } #END Switch            If($eRecipients){                            $er = $er -join ";"                            $result="$($result)`t$($er)"                            Add-content -Value $result -Path $LogFile_Filtr                            }                      }  #End Foreach Items        }while($fiItems.MoreAvailable -eq $true)    }  #End Foreach Folders    $fvFolderView.Offset += $fiResult.Folders.Count}while($fiResult.MoreAvailable -eq $true)$StopWatch.Stop()write-host "Completed $($Mailboxname) in Seconds:" $StopWatch.Elapsed.TotalSeconds -ForegroundColor GreenWrite-Host "Total Items found:" $ic$StopWatch = $null


Method 3: Preventive monitoring

For identification of items that have internal and external recipients, create a transport rule that can send copies of such items to an auditing mailbox.
Status
Microsoft has confirmed that this is by design.
More information
For more information about In-Place eDiscovery, go to the following Microsoft website:For more information about KQL, go to the following Microsoft website:
Properties

Article ID: 2977178 - Last Review: 03/05/2016 09:51:00 - Revision: 6.0

Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard

  • kbfix kbexpertiseadvanced kbsurveynew kbbug KB2977178
Feedback