Documentation Version: er2.0.26-docs-1.1

Exchange Domain

The Exchange Domain Target allows you to scan mailboxes and mailbox Groups by specifying the domain on which the mailboxes reside on.

To scan a Microsoft Exchange server directly, see Microsoft Exchange (EWS) for more information.

This section covers the following topics:

Minimum Requirements

Requirements Description
Proxy Agent
  • Windows Proxy Agent.
  • Agent type (32-bit or 64-bit) must match the Exchange Server.
  • The Agent host must be able to contact the Domain controller.
Exchange Server

Exchange Server 2007 and above.

Service Account

The account used to scan Microsoft Exchange mailboxes must:

  • Have a mailbox on the target Microsoft Exchange server.
  • Be a service account assigned the ApplicationImpersonation management role. See Configure Impersonation for more information.

To Add an Exchange Domain

  1. From the New Search page, Add Targets.
  2. In the Select Target Type dialog box, select Exchange Domain.
  3. Fill in the fields as follows:

    Field Description

    Enter a domain to scan mailboxes that reside on that domain. This is usually the domain component of the email address, or the Windows Domain.

    Credential Label

    Enter a descriptive label for the credential set.

    Username Enter your service account user name.
    Password Enter your service account password.
    Agent to act as proxy host Select a Windows Proxy Agent.
  4. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  5. Click Commit to add the Target.
  6. Back in the New Search page, locate the newly added Exchange Domain Target and click on the arrow next to it to display a list of available mailbox Groups. Expand a Group to see a list of mailboxes that belong to that Group.
  7. Select Groups or mailboxes to add them to the "Selected Locations" list.
  8. (Optional) You can add a location manually by selecting + Add New Location at the bottom of the list, clicking Customise and entering <Group/User Display Name> in the Exchange Domain field.
  9. Click Next to continue setting up your scan.

Scan Additional Mailbox Types

The following additional mailbox types are supported:

To scan the above supported mailbox types, use a service account with "FullAccess" rights to the target mailbox.

Adding "FullAccess" privileges to an existing user account may cause issues with existing user configuration. To avoid this, create a new service account and use it only for scanning Exchange shared mailboxes with ER2.

The following sections contain instructions on how to grant "FullAccess" permissions for each mailbox type:

Changes may not be immediate. Wait 15 minutes before starting a scan on the exchange server.

Once the service account is granted access to the target mailboxes, follow the instructions above to add the shared mailbox as a Target.

Linked mailboxes as service accounts

You cannot use a linked master account (the owner of a linked mailbox) to scan Exchange Targets in ER2. To successfully scan an Exchange Target, use a service account that resides on the same AD forest as the Exchange Target.

Shared Mailboxes

To grant a service account "FullAccess" rights to shared mailboxes, run the following commands in the Exchange Management Shell:

Linked Mailboxes

To grant a service account "FullAccess" rights to linked mailboxes, run the following commands in the Exchange Management Shell:

Mailboxes associated with disabled AD user accounts

To grant a service account "FullAccess" rights to mailboxes associated with disabled AD user accounts, run the following commands in the Exchange Management Shell:

Archive Mailbox and Recoverable Items

Requirements: Exchange Server 2010 SP1 and newer.

When enabled for a user mailbox, the Archive mailbox and the Recoverable Items folder can be added to a scan:

By default, adding a user mailbox to a scan also adds the user's Archive mailbox and Recoverable Items folder to the scan.

To add only the Archive mailbox or Recoverable Items folder to the scan:

  1. Configure impersonation for the associated user mailbox. See Configure Impersonation for more information.

  2. Add the Exchange Target to the scan.
  3. In the Select Locations page, expand the added Exchange Target and browse to the Target mailbox.
  4. Expand the target mailbox, and select (ARCHIVE) or (RECOVERABLE).

Unsupported Mailbox Types

ER2 currently does not support the following mailbox types:

Not mailboxes

The following are not mailboxes, and are not supported as scan locations:

  • All distribution groups.
  • Mail users or mail contacts.
  • Public folders.

Configure Impersonation

To scan a Microsoft Exchange mailbox, you can:

While it is possible to assign a global administrator the ApplicationImpersonation management role and use it to scan mailboxes, we recommend using a service account instead.

Service accounts are user accounts set up to perform administrative tasks only. Because of the broad permissions granted to service accounts, we recommend that you closely monitor and limit access to these accounts.

Assigning a service account the ApplicationImpersonation role allows the account to behave as if it were the owner of any account that it is allowed to impersonate. ER2 scans those mailboxes using permissions assigned to that service account.

To assign a service account the ApplicationImpersonation role for all mailboxes:

  1. On the Exchange Server, open the Exchange Management Shell and run as administrator:

    # <impersonationAssignmentName>: Name of your choice to describe the role assigned to the service account.
    # <serviceAccount>: Name of the Exchange administrator account used to scan EWS.
    New-ManagementRoleAssignment –Name:<impersonationAssignmentName> –Role:ApplicationImpersonation –User:<serviceAccount>

(Advanced) To assign the service account the ApplicationImpersonation role for a limited number of mailboxes, apply a management scope when making the assignment.

To assign a service account the ApplicationImpersonation role with an applied management scope:

  1. On the Exchange Server, open the Exchange Management Shell as administrator.
  2. Create a management scope to define the group of mailboxes the service account can impersonate:

    New-ManagementScope -Name <scopeName> -RecipientRestrictionFilter <filter>

    For more information on how to define management scopes, see Microsoft: New-ManagementScope.

  3. Apply the ApplicationImpersonation role with the defined management scope:

    New-ManagementRoleAssignment –Name:<impersonationAssignmentName> –Role:ApplicationImpersonation –User:<serviceAccount> -CustomRecipientWriteScope:<scopeName>

Mailbox in Multiple Groups

If a mailbox is a member of multiple Groups, it is scanned each time a Group it belongs to is scanned. Mailboxes that are members of multiple Groups still consume only one mailbox license, no matter how many times it is scanned as part of a separate Group.

User mailbox "A" belongs to Groups "A1",and "A2". When Groups "A1" and "A2" are added to the same scan, user mailbox "A" is scanned once when Group "A1" is scanned, and a second time when Group "A2" is scanned. Mailbox "A" consumes only one mailbox license despite having been scanned twice.