Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Server

Implementing Exchange Server 2010 Security : Configuring Compliance and Messaging Retention

8/9/2011 4:30:41 PM
To enhance your ability to comply with regulations related to messaging retention, protect personal information, and fulfill legal discovery requests for messaging records, Exchange supports the following:
  • Messaging Records Management Allows your organization to implement message retention policies. Messaging retention policies combine retention tags, retention policies, and autotagging. Mailbox folders and individual mail items use retention tags to apply retention settings. Users can use tags to mark folders or items for retention. A default tag associated with a retention policy applies to items not tagged manually by a user or to items in folders that do not have tags applied. Although users can use rules and default tags to automatically assign tags to incoming e-mail, autotagging allows Exchange to learn from users' tagging preferences and assign tags to incoming messages automatically. Users can manually override any automatically assigned tags.

  • Discovery Management Allows a user who is assigned the Discovery Management role to search mailbox content in selected mailboxes across an Exchange organization. The scope of the role assignment determines which mailboxes a user can search. Messages returned by the search are copied to a folder in the designated Discovery mailbox, which ensures compliance with legal discovery requirements and also allows authorized personal to search message content for purposes such as internal investigations and messaging-policy compliance.

  • Transport Protection Rules Allows you to secure messaging content against unauthorized access and reviews by protecting e-mail messages and attachments. Transport Protection Rules apply rights management settings to messages in transport, determining which recipients can access a message and what actions recipients can perform. For example, a recipient might be permitted to view a message and attachments but not be permitted to print a message and attachments.

Other compliance features include the following:

  • Archive mailboxes

  • Journaling

  • Message classifications

  • Hold policy

Exchange Server 2010 implements messaging records management to help retain messaging content that your organization might need for business or legal reasons and to delete messages that are no longer needed. You specify the retention period and the types of messaging content that management settings should apply to. Messaging records management is configured globally for your Exchange organization and implemented on a per-server basis by enabling records management enforcement.

1. Understanding Message Retention Policies and Tags

Message retention policies replace managed folders as the preferred method for implementing messaging records management. For backward compatibility with existing records management implementations, you can use managed folders. A managed folder is simply a Microsoft Office Outlook folder to which you can apply retention policies. Exchange uses two types of managed folders: managed default folders and managed custom folders. Managed default folders include the standard folders available in Outlook. Managed custom folders are additional folders that you can create and deploy.

You work with managed folders in several ways. If you want to control the contents of managed folders, you can apply managed content settings. For example, you can apply managed content settings to the Inbox folder, specifying that Exchange Server should automatically delete or move the folder's contents to another folder after 90 days. Although managed default folders appear in Outlook automatically, managed custom folders do not. To add a managed custom folder to a mailbox, you must create a Managed Folder Mailbox policy that deploys the folder. You can use a single Managed Folder Mailbox policy to deploy multiple managed custom folders.

By automating records management, Exchange Server 2010 helps your organization comply with legal requirements while minimizing the impact on administrators. The process relies on users to classify their own messaging content and on automatic tagging. Users can file items by placing them in the managed folder that is appropriate for that type of content, or messaging content can be sorted into the appropriate folder by using rules and tagging. This ensures that messaging content is classified according to users' wants and helps eliminate the mishandling of messaging content that can occur with completely automated messaging management solutions.

Managed folders are similar to the other folders in users' mailboxes except that users cannot remove, rename, or delete the folders after Exchange Server has deployed them. Exchange Server uses the retention policies you define to periodically process messaging content that users put in managed folders. You can configure retention policies by content age and by message type, and you can apply them to any of the folders in users' mailboxes. When messages reach a retention limit, Exchange Server can retain required messaging content and delete unneeded messaging content without requiring administrator intervention.

You can retain any messaging content that you want to keep by applying managed content settings that create journal copies of the content in another location. This can be any location with a Simple Mail Transfer Protocol (SMTP) e-mail address, including another Exchange mailbox.

You can configure Exchange Server to delete any messaging content that is no longer needed by specifying a deletion action. You can delete content permanently or delete it so that users can still recover it. You can also move content to a managed folder that is set up for user review prior to deletion, and you can mark content as expired in a user's mailbox in Outlook. This ensures that the user is prompted to take any required action.

When you apply managed content settings, you can also specify that messaging content should be journaled. A journal is an automatically forwarded copy of an item saved in an alternate location. Typically, you'll create journal copies of items in a mailbox specifically set up for this purpose. You can use journaling to help your organization meet additional compliance or regulatory requirements.


REAL WORLD Mailboxes can use either managed folders or retention tags, not both. If you no longer want to use managed folders for messaging records management, you can remove all records management settings from a Mailbox server by deleting managed custom folders and managed mailbox polices. When you remove all managed custom folders and all managed mailbox policies, the Managed Folder Assistant performs the following tasks the next time it runs for all mailboxes with records management enabled: removes mailbox policy settings from managed folders, removes empty managed custom folders, converts managed custom folders with items to standard folders. When you are sure the Managed Folder Assistant has run and completed the cleanup, you'll know managed folders are no longer being used.

Hold policy can help you recover accidentally deleted items and can also be used as part of retention. Previously, if a user wanted items that were written to backups, you had to find the backup media that contains the data, find the items, and return them to the user. Exchange 2010 includes the Recoverable Items folder to make this process easier.

The Recoverable Items folder is the storage location in which items deleted from the Deleted Items folder are located until they're purged from the Mailbox database. With this folder and the hold policy that can be applied to it, Exchange can retain all deleted and modified data for a specified period of time, and you can recover items directly from it, streamlining an otherwise lengthy process.

When you are using the Search-Mailbox cmdlet, you can set the –SearchDumpster parameter to $true to search the Recoverable Items folder. With Set-Mailbox, you can set the –LitigationHoldEnabled parameter to $true to specify that a mailbox is under litigation hold and that its messages can't be deleted. After a mailbox is placed on litigation hold, deleted items and all versions of changed items are retained in the Recoverable Items folder. Items that are purged from the dumpster are also retained, and the items are held indefinitely.

2. Creating and Applying Retention Tags

You deploy retention tags by creating retention policy tags for default folders and then creating and applying retention policies to mailboxes. You work with retention tags and policies in the Exchange Management Shell. Keep the following in mind:

  • Commands for creating and working with retention policy tags include Get-RetentionPolicyTag, New-RetentionPolicyTag, Set-RetentionPolicyTag, and Remove-RetentionPolicyTag.

  • Commands for creating and working with retention policies include Get-RetentionPolicy, New-RetentionPolicy, Set-RetentionPolicy, and Remove-RetentionPolicy.

To create a retention policy tag, you use the Type parameter to specify a default folder that the retention policy tag applies to, as shown in this example:

New-RetentionPolicyTag "Managers-DeletedItems" -Type "DeletedItems"
-MessageClass "AllMailboxContent" -RetentionEnabled $true
-AgeLimitForRetention 30 -RetentionAction PermanentlyDelete

Here, you configure retention for the DeletedItems folder. You also could have configured retention for Calendar, Contacts, Drafts, Inbox, JunkMail, Journal, Notes, Outbox, SentItems, Tasks, or All. The –MessageClass specifies the type of item to retain, such as CallItems, Contacts, Documents, E-Mail, Faxes, Journal, MeetingRequest, MissedCall, Notes, Posts, Tasks, and Voicemail. Once the age limit has expired, the retention action is performed. Retention actions include MoveToDeletedItems, MoveToFolder, DeleteAndAllowRecovery, PermanentlyDelete, MarkAsRetentionLimit, and MoveToArchive.


PermanentlyDelete permanently deletes a message. A message that has been permanently deleted can't be recovered using the Recoverable Items folder. Permanently deleted messages are not returned in a Discovery search unless a litigation hold is enabled for the mailbox.

Retention policies contain retention tags with managed content settings and are applied to mailboxes to control retention. After you create your retention tags, you can specify the list of tags to associate with a retention policy, as shown in this example:

Set-RetentionPolicy -Identity ManagersRP
-RetentionPolicyTagLinks "Managers-Default", "Managers-Inbox",

Because the list of tags you provide replaces any previous list of associated tags, you'll want to get any existing tags associated with the policy and append new tags as shown in this example:

$tags = (Get-RetentionPolicy ManagersRP).RetentionPolicyTagLinks
$newtag1 = Get-RetentionPolicyTag Managers-Default
$newtag2 = Get-RetentionPolicyTag Managers-Inbox
$newtag3 = Get-RetentionPolicyTag Managers-DeletedItems
$tags += $newtag1 + $newtag2 + $newtag3
Set-RetentionPolicy ManagersRP -RetentionPolicyTagLinks $tags

After you associate retention tags with retention policies, you'll want to apply retention policies to mailboxes using Set-Mailbox with the –RetentionPolicy parameter, as shown in this example:

Set-Mailbox "timj" -RetentionPolicy ManagersRP

You can also apply a retention policy to the current members of a specific distribution group, as shown in this example:

Get-DistributionGroupMember -Identity "Managers" | Set-Mailbox
-RetentionPolicy ManagersRP

Autotagging automatically assigns retention tags to items in mailboxes based on a user's past tagging behavior. To use autotagging, a retention policy must be assigned to a mailbox. You can enable autotagging for a mailbox as shown in this example:

Set-MailboxComplianceConfiguration -Identity "timj"
-RetentionAutoTaggingEnabled $true

You can also apply autotagging to the current members of a specific distribution group, as shown in this example:

Get-DistributionGroupMember -Identity "Managers" |
Set-MailboxComplianceConfiguration -RetentionAutoTaggingEnabled $true

If you want to temporarily suspend processing of retention policies for a mailbox, such as when a user is on vacation or maternity leave, you can place the mailbox on retention hold. To do this in the Exchange Management Console, double-click the user's mailbox to open the related Properties dialog box. On the Mailbox Settings tab, double-click Messaging Records Management. Select Enable Retention Hold For Items In This Mailbox. Optionally, set a start date and an end date for the retention hold. Click OK to save your settings.

3. Applying Records Management to a Mailbox Server

After you've configured records management for your organization and applied policies to user mailboxes, you can begin managing records on the individual Mailbox servers in your organization. In Exchange Server 2010, the Managed Folder Assistant is responsible for applying records management settings. The Assistant does the following:

  • Creates the necessary managed custom folders in user mailboxes

  • Moves or removes items according to their retention settings

  • Creates journal items in mailboxes in other locations

Each Mailbox server in your organization has a Managed Folder Assistant that runs according to a schedule you specify. It attempts to process all the mailboxes on a server in the specified amount of time. If it does not finish during the allotted time, it resumes processing where it left off the next time it runs.

In the Exchange Management Console, you can enable records management and schedule the Managed Mailbox Assistant to run by completing the following steps:

  1. In the Exchange Management Console, expand the Server Configuration node, and then select the related Mailbox node.

  2. Right-click the Mailbox server you want to configure, and then select Properties. In the Properties dialog box, click the Messaging Records Management tab.

  3. Select Use Custom Schedule from the list, and then click Customize.

  4. In the Schedule dialog box, select the times and days during which you want the Managed Folder Assistant to run. Click OK to close the Schedule dialog box, and then click OK to close the server's Properties dialog box.

In the Exchange Management Console, you can disable records management by completing the following steps:

  1. In the Exchange Management Console, expand the Server Configuration node, and then select the related Mailbox node.

  2. Right-click the Mailbox server you want to configure, and then select Properties.

  3. In the Properties dialog box, click the Messaging Records Management tab.

  4. In the Start Messaging Records Management Enforcement Process list, select Never. Click OK.

In the Exchange Management Shell, you can enable and disable records management by using the -ManagedFolderAssistantSchedule parameter of the set-MailboxServer cmdlet. Example 1 provides the syntax and usage. Note that it is easiest to schedule run times using a 24-hour clock.

Example 1. Enabling and disabling records management

Set-MailboxServer -Identity 'ServerIdentity'
-ManagedFolderAssistantSchedule 'Schedule'

Usage for enabling records management

set-MailboxServer -Identity 'CorpSvr127'
-ManagedFolderAssistantSchedule 'Sun.01:00-Sun.05:00',

Usage for disabling records management

Set-MailboxServer -Identity 'CorpSvr127'
-ManagedFolderAssistantSchedule $null

In the Exchange Management Shell, you can manually start and stop records management by using the Start-ManagedFolderAssistant and Stop-ManagedFolderAssistant cmdlets, respectively. When you start the assistant manually, any current processing of mailboxes stops, and the assistant reprocesses all mailboxes on the server. Example 2 provides the syntax and usage.

Example 2. Starting and stopping records management manually

Start-ManagedFolderAssistant -Identity 'ServerIdentity'

Stop-ManagedFolderAssistant -Identity 'ServerIdentity'


Start-ManagedFolderAssistant -Identity 'CorpSvr127'
Other -----------------
- Implementing Exchange Server 2010 Security : Auditing Exchange Server Usage
- Configuring Small Business Server 2011 in Hyper-V : Creating a Virtual Machine (part 2) - Machine Settings
- Configuring Small Business Server 2011 in Hyper-V : Creating a Virtual Machine (part 1) - Creating a Basic VM
- Configuring Small Business Server 2011 in Hyper-V : Initial Configuration
- Microsoft Dynamics CRM 2011 : Adding Planning Activities
- Microsoft Dynamics CRM 2011 : Creating a Campaign
- Microsoft Dynamics AX 2009 : The MorphX Tools - Debugger
- Microsoft Dynamics AX 2009 : The MorphX Tools - Best Practices Tool
- Windows Server 2008 Server Core : Working with Terminal Server (part 2)
- Windows Server 2008 Server Core : Working with Terminal Server (part 1)
Video tutorials
- How To Install Windows 8 On VMware Workstation 9

- How To Install Windows 8

- How To Install Windows Server 2012

- How To Disable Windows 8 Metro UI

- How To Change Account Picture In Windows 8

- How To Unlock Administrator Account in Windows 8

- How To Restart, Log Off And Shutdown Windows 8

- How To Login To Skype Using A Microsoft Account

- How To Enable Aero Glass Effect In Windows 8

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
programming4us programming4us
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone