我正在使用Office 365的安全与合规中心来执行合规性搜索,并使用软删除删除违规电子邮件。完成后,我会执行相同的搜索以确认电子邮件已删除,但看到相同数量的搜索查询结果。这是因为软删除会将电子邮件移动到"可恢复的项目"文件夹。我的问题是,如何在排除"可恢复的项目"文件夹的同时创建New-ComplianceSearch?
更新马修在下面为我指出了正确的方向。使用此处(和下面的(脚本,您可以获取指定邮箱的"删除"、"可恢复的项目"和"清除"文件夹的文件夹 ID:
# Collect the target email address
$addressOrSite = Read-Host "Enter an email address"
# Authenticate with Exchange Online and the Security & Complaince Center (Exchange Online Protection - EOP)
if (!$credentials)
{
$credentials = Get-Credential
}
if ($addressOrSite.IndexOf("@") -ige 0)
{
# List the folder Ids for the target mailbox
$emailAddress = $addressOrSite
# Authenticate with Exchange Online
if (!$ExoSession)
{
$ExoSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid/ -Credential $credentials -Authentication Basic -AllowRedirection
Import-PSSession $ExoSession -AllowClobber -DisableNameChecking
}
$folderQueries = @()
$folderStatistics = Get-MailboxFolderStatistics $emailAddress
foreach ($folderStatistic in $folderStatistics)
{
$folderId = $folderStatistic.FolderId;
$folderPath = $folderStatistic.FolderPath;
$encoding= [System.Text.Encoding]::GetEncoding("us-ascii")
$nibbler= $encoding.GetBytes("0123456789ABCDEF");
$folderIdBytes = [Convert]::FromBase64String($folderId);
$indexIdBytes = New-Object byte[] 48;
$indexIdIdx=0;
$folderIdBytes | select -skip 23 -First 24 | %{$indexIdBytes[$indexIdIdx++]=$nibbler[$_ -shr 4];$indexIdBytes[$indexIdIdx++]=$nibbler[$_ -band 0xF]}
$folderQuery = "folderid:$($encoding.GetString($indexIdBytes))";
$folderStat = New-Object PSObject
Add-Member -InputObject $folderStat -MemberType NoteProperty -Name FolderPath -Value $folderPath
Add-Member -InputObject $folderStat -MemberType NoteProperty -Name FolderQuery -Value $folderQuery
$folderQueries += $folderStat
}
Write-Host "-----Exchange Folders-----"
$folderQueries |ft
}
然后,您可以使用这些文件夹 ID 从搜索中删除文件夹。例如:
New-ComplianceSearch -Name test123 -ExchangeLocation user@mycompany.com -ContentMatchQuery "subject:'some subject' AND NOT ((folderid:3F4BE1AEF6C6BB45B8F8EEFE472A7E5C0000000001130000) OR (folderid:3F4BE1AEF6C6BB45B8F8EEFE472A7E5C0000000001140000) OR (folderid:3F4BE1AEF6C6BB45B8F8EEFE472A7E5C0000000001160000))"
从安全与合规中心中排除文件夹的关键是 FolderID 属性。 您可以在此站点上找到有关此属性和其他属性的文档:
https://support.office.com/en-us/article/Keyword-queries-and-search-conditions-for-Content-Search-c4639c2e-7223-4302-8e0d-b6e10f1c3be3?ui=en-US&rs=en-US&ad=US
如果在该链接中搜索"文件夹 ID",则会找到另一个指向有关如何获取特定邮箱的文件夹 ID 的文档的链接,包括用于执行此操作的 PowerShell 代码。 该链接是:
https://support.office.com/en-us/article/Use-Content-Search-in-Office-365-for-targeted-collections-e3cbc79c-5e97-43d3-8371-9fbc398cd92e?ui=en-US&rs=en-US&ad=US#step1
您正在尝试执行的操作,排除可恢复的项目,实际上涉及排除四个单独的文件夹:
/Recoverable Items
/Deletions
/Purges
/Versions
其中每个文件夹都有一个关联的文件夹 ID。 以上面第二个链接中的值为例...
/Recoverable Items folderid:FDB58AF45BAF2F4A8CFD98F5396C6EB0000000001140000
/Deletions folderid:FDB58AF45BAF2F4A8CFD98F5396C6EB0000000001150000
/Purges folderid:FDB58AF45BAF2F4A8CFD98F5396C6EB0000000001170000
/Versions folderid:FDB58AF45BAF2F4A8CFD98F5396C6EB0000000001160000
。您可以将以下内容附加到关键字搜索中,以排除这些文件夹:
NOT ((folderid:FDB58AF45BAF2F4A8CFD98F5396C6EB0000000001140000) OR (folderid:FDB58AF45BAF2F4A8CFD98F5396C6EB0000000001150000) OR (folderid:FDB58AF45BAF2F4A8CFD98F5396C6EB0000000001170000) OR (folderid:FDB58AF45BAF2F4A8CFD98F5396C6EB0000000001160000))
当然,您必须从要执行此操作的每个邮箱中检索这四个文件夹的实际值。 另请注意,排除文件夹不会排除其子文件夹...您需要对要排除或包含的每个文件夹和每个子文件夹使用 FolderID 值。
希望这有帮助!