Items sent to external and internal recipients cannot be found with "NOT recipients" by eDiscovery in Exchange 2013

Symptoms

Assume that you create an In-Place eDiscovery search in Exchange Admin Center (EAC) to return items that are sent to external recipients by specifying the NOT recipients:"internalDomain" criteria in the search. In this situation, the search syntax returns items that are sent to only external recipients, but excludes items that have internal and external recipients.

Cause

This issue occurs because eDiscovery uses Keyword Query Language (KQL) that uses the Boolean logic. Therefore, the NOT recipients:"internalDomain" excludes all items that contain an internal recipient, even the items that also have an external recipient.

Note The current design does not provide a more refined functionality through the EAC.

Workaround

To work around this issue, you can use one of the following methods.

Method 1: Use EWSEditor

A free-ware EWSEditor application is available to work around this issue. There is an eDiscovery window which can be used to search for items.

Note You have to set up the account being used to have the Audit RBAC role to do these searches.

Method 2: Use a different API

Use a different API that does not rely on KQL. You have to build a custom solution by using other programs, such as Exchange Web Services (EWS). The solution can retrieve some parts of the data (a bigger dataset). The solution can further process the received result by using external logic to arrive at the desired set of messages that match the NOT recipients:"internalDomain" criteria as you would interpret it.
Also, for identification of such messages going forward, a better solution would be to use a transport rule that could send copies of such items (internal and external recipients) to an auditing mailbox.

The following is a sample code to work around this issue by using EWS Managed API.

Note In this code sample, replace InternalDomain1.com, InternalDomain2.com, InternalDomain3.com with your internal domain name. This placeholder appears in three locations in the code. 

Code sample

Method 3: Preventive monitoring

For identification of items that have internal and external recipients, create a transport rule that can send copies of such items to an auditing mailbox.

Status

Microsoft has confirmed that this is by design.

More Information

For more information about In-Place eDiscovery, go to the following Microsoft website:For more information about KQL, go to the following Microsoft website:
Savybės

Straipsnio ID: 2977178 – Paskutinė peržiūra: 2016-03-05 – Peržiūra: 1

Atsiliepimai