Monthly Archives: July 2013

Ediscovery

Performing Discovery on a mailbox in Exchange 2010 is performed in 4 steps:

1)  Set permissions to perform the search

2)  Set permissions to view the search results

3)  Perform the search

4)  View the results


1)  Set permissions to perform the search

Login to the Exchange Control Panel as an Exchange Administrator

Select Roles and Auditing

Select Discovery Management and click Details

In the Members: section, click Add…

Select the member you wish to give permissions to create the search, and click OK

Click Save


2) Set permissions to view the search results

Open the Exchange Management Console.  Right click the Discovery Search Mailbox and select Manage Full Access Permission…

Click Add…

Select the user you want to be able to view the results of the search, and click OK

Click Manage

Click Finish


3) Perform the search

Log into Outlook Web Access as a user with permission to perform the search

Select Options, and select See all Options…

Select Options Manage Myself and select My Organization

Select Mail Control and select Discovery

Click New

Type in the search query.  In this example we are looking for instances of the word ‘passcode’.

Tick Include items that can’t be searched

click Select message types…

Tick Search all

Expand Mailboxes to Search and select the mailboxes required, or select Search all mailboxes

Expand Search Name, Type and Storage Location.  Enter a Search Name and either select Estimate the search results (used to indicate size requirements) or Copy the search results to the destination mailbox.  Untick Enable deduplication.

Click Browse

Choose the mailbox to copy the results to, and click OK

Click Save to start the search

Wait for the search to finish – Refresh if necessary


4) View the results

Once the search is finished, logon to a workstation as a person with permission to view the Discovery Search Mailbox and open Outlook.

Open the Discovery Search Mailbox.

In this example we can see ‘Corey’ send ‘Omar’ an email with the word ‘passcode’

List Workstations and Last Logon Time from AD using Powershell

This will list computers and Last Logon Times from AD:
import-module ActiveDirectory
$dcs = Get-ADComputer -Filter { OperatingSystem -NotLike ‘*Server*’ } `
    -Properties OperatingSystem
foreach($dc in $dcs) { `
    Get-ADComputer $dc.Name -Properties lastlogontimestamp | `
    Select-Object @{n=”Computer”;e={$_.Name}}, @{Name=”Lastlogon”; `
    Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}}
}

References: http://stackoverflow.com/questions/16965355/get-last-logon-time-computer-and-username-together-with-powershell
http://blogs.technet.com/b/askds/archive/2010/02/04/inventorying-computers-with-ad-powershell.aspx