Exchange 2013 Brief – In-place Hold

Executive Overview

In the event that potential litigation may occur, an organization is required to preserve any electronically stored information (ESI), including email that’s relevant to the case. In-Place Hold enables an administrator to search and preserve messages matching query parameters. Messages are protected from deletion, modification, and tampering and can be preserved indefinitely or for a specified period.

Notable Features

  • Users can be placed on one or multiple holds
  • Preserve deleted items
  • query-based searches
  • Transparent to users

Architecture/Components

In-place Hold enables an organization to configure a number of granular policies depending on the needs of a particular situation:

  • Indefinite hold:   This is intended to preserve mailbox items so you can meet eDiscovery requirements. During the period of litigation or investigation, items are never deleted. The duration is not known in advance, so no end date is configured. To hold all mail items indefinitely, you must not specify any query parameters or time duration when creating an In-Place Hold.
  • Query-based hold: If your organization requires that only items matching query parameters be preserved either indefinitely or for a specified duration, you can use a query-based In-Place Hold. You can specify query parameters such as keywords, start and end dates, sender and recipient addresses and message types. After you create a query-based In-Place Hold, all existing mailbox items matching the query and items created in the future, including messages received at a later date that match query parameters are preserved.
  • Time-based hold: Time-Place Hold allows you to specify a duration of time for which to hold items. The duration is calculated from the date a mailbox item is received or created.
  • Recoverable Items Folder: The recoverable items folder is a location in the user’s mailbox where items are sent to if they are not ‘hard deleted’. This folder contains the following subfolders:
    Deletions – Contains items removed from the Deleted Items folder or soft deleted from other folders and are visible to the user when using the Recover Deleted Items feature in Outlook and Outlook Web App. By default, items reside in this folder until the deleted item retention period configured for the mailbox database or the mailbox expires.
    Purges – When a user deletes an item from the Recoverable Items folder (by using the Recover Deleted Items tool in Outlook and Outlook Web App, the item is moved to the Purges folder. Items that exceed the deleted item retention period configured on the mailbox database or the mailbox are also moved to the Purges folder. Items in this folder aren’t visible to users if they use the Recover Deleted Items tool. When the mailbox assistant processes the mailbox, items in the Purges folder are purged from the mailbox database. When you place the mailbox user on litigation hold, the mailbox assistant doesn’t purge items in this folder.
    DiscoveryHold – If a user is placed on an In-Place Hold, deleted items are moved to this folder. When the mailbox assistant processes the mailbox, it evaluates messages in this folder. Items matching the In-Place Hold query are retained until the hold period specified in the query. If no hold period is specified, items are held indefinitely or until the user is removed from the hold.
    Versions – When a user who is placed on In-Place Hold or litigation hold, mailbox items must be protected from tampering or modification by the user or a process. This is accomplished using a copy-on-write. When a user or a process changes specific properties of a mailbox item, a copy of the original item is saved in the Versions folder before the change is committed. The process is repeated for subsequent changes. Items captured in the Versions folder are also indexed and returned in In-Place eDiscovery searches. After the hold is removed, copies in the Versions folder are removed by the Managed Folder Assistant.
  • Multiple hold behavior: It’s possible that a user can be placed on multiple holds at the same time. Exchange treats this condition by applying the search parameters of all in-place holds together using a logical OR operator. A special condition is reached where if a user in more than 5 in-place holds, all items are automatically held (this would improve efficiency)
  • User notification: Depending on your organization’s policies, a user may need to be informed when they are placed in hold. Exchange 2013 allows you to redirect a user to a web page based on a URL. Outlook 2010 displays this information in the backstage area.
  • Monitoring Mailbox Quotas: In Exchange 2013, the Recoverable Items folder has its own quota and therefore items in the Recoverable Items folder aren’t calculated toward the user’s mailbox quota. When a user exceeds the warning quota on recoverable items in the recoverable items folder (RecoverableItemsWarningQuota parameter default set to 20Gb) , an event is logged in the Application Event log of the Mailbox server. Once this quota is reached (RecoverableItemsQuota, default set to 30Gb), users won’t be able to empty the Deleted Items folder or permanently delete mailbox items, nor will copy-on-write won’t be able to create copies of modified items. It therefore is crucial to monitor the Recoverable Items quotas for mailbox users placed on In-Place hold.
  • Archived Lync Content: Exchange 2013 allows you to archive Lync Server 2013 content in Exchange, removing the requirement of a separate SQL Server database to store archived Lync content.  When you place an Exchange 2013 mailbox on In-Place Hold or litigation hold, Microsoft Lync 2013 content such as instant messaging conversations and files shared in an on-line meeting are archived in the mailbox. If you search the mailbox using the eDiscovery Center in Microsoft SharePoint 2013 or In-Place eDiscovery in Exchange 2013, any archived Lync content matching the search query is also returned in search results. To enable archiving of Lync content in Exchange 2013 mailbox, you must configure Lync 2013 integration with Exchange 2013. For more details, see the following topics:

Common Administrative Tasks

  1. Authorize users: Add users to the Discovery Management Role Based Access Control Group.
  2. Place a mailbox in hold: EAC or Powershell
    New-MailboxSearch “Hold-CaseId001” -SourceMailboxes “cheekymonkey@chimpcorp.com” -InPlaceHoldEnabled $true
  3. Remove an In-place hold:
    Set-MailboxSearch “Hold-CaseId001” -InPlaceHoldEnabled $false
    Remove-MailboxSearch “Hold-CaseId001”
  4. Notify a user who has been placed on hold:
    Place notification message in the mailbox user’s Retention Comment property and user the RedirectionURL property to link to a web page.
  5. Set a quota and warning quota for the Recoverable Items sub-folder.
    For an entire database: Set-MailboxDatabase – RecoverableItemsWarningQuota – RecoverableItemsQuota
    For a single mailbox: Set-Mailbox – RecoverableItemsWarningQuota – RecoverableItemsQuota

Top PowerShell Commands/Tools

– New/Set/Remove-MailboxSearch
– Set-Mailbox

References/Links

Technet article on In-place hold

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s