How to remove/delete email sent to wrong user(s) using Search-mailbox cmdlet

I recently came by a situation where confidential email was mistakenly sent to the wrong users. I was asked to find a way to delete the email. I knew I could use the Search-mailbox cmdlet since this is an Exchange 2010 deployment, but totally forgot I had to configure a Role assignment before this could work.

The following steps enabled me accomplish this task:

1) First I had to identify the Exchange management role that’s required to import, export or delete content from a mailbox. This would be the Mailbox Import Export Role.

[PS] C:\Windows\system32>Get-ManagementRole -RoleType MailboxImportExport

Name RoleType
---- --------
Mailbox Import Export MailboxImportExport

2) The next step involves assigning this role to the Exchange admin user or Security group that needs to perform the task. I had to do this because by default, this exchange 2010 role is not assigned to any user or group. As a result, the DeleteContent parameter needed to accomplish the task is disabled. I verified this by running the following command:


Running this cmdlet the first time, I realized the DeleteContent Parameter was missing.

3) In the next step,I assign the management role to the exchange admin account used to perform this task. You could also create a security group and assign the role to this new group:


Assigning the role to this user will enable permissions for the DeleteContent parameter for the Search-Mailbox cmdlet.

4) The following command queries the source mailbox for any mail item with the specified subject key words. The result is logged and copied to a target mailbox and target folder:

Search-Mailbox -Identity testuser -SearchQuery "Subject: 'Spam'" -TargetMailbox administrator -LogOnly -LogLevel full -TargetFolder SearchandDeleteLog

The result of this command informs me the email item is present in the source mailbox. I went ahead and used the DeleteContent parameter to remove/delete the email.

Search-Mailbox -Identity testuser -SearchQuery "Subject: 'Spam'" -DeleteContent

DeleteContent is a switch parameter and therefore does not need a value.

You could run the script against a group of users using the following code:

[PS] C:\>$users = Get-DistributionGroupMember -Identity "Accounting"
[PS] C:\>$users | %{Search-Mailbox -Identity $_.Name -SearchQuery "Subject: `Spam'" -DeleteContent}

This entry was posted in Exchange 2010 SP2, Exchange Cmdlets, Exchange Management Shell, PowerShell. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s