In Exchange Server 2010 Native Data Protection - Part 1 we discussed Email Item Retention. This feature allows us to recover items as long as these are not deleted from the Recoverable Items folder. Once removed, the user is no longer able to access deleted items.

On top of that Exchange 2010 provides us with another layer of protection known as Single Item Recovery. If enabled, and the appropriate permissions are assigned, we have another opportunity for restoring deleted items.

Single item recovery is enabled using the Exchange Management Shell cmdlet:
Set-Mailbox -Identity "Vladimir Meloski" -SingleItemRecoveryEnabled $True

Note: This feature cannot be enabled from the Exchange Management Console.

Next assume we deleted an email item from our mailbox, deleted the same item from the Deleted Items folder, and also deleted the item from the Recoverable Items folder, as shown below:

As from now the user is no longer able to access the item. In order to restore it, first we should perform a multi-mailbox search. We do this from the Exchange Management Shell, or the OWA Exchange Control Panel but not the Exchange Management Console.

Discovery Management Role Group

In order to perform the search, we need appropriate permissions. These permissions are assigned by adding our user account to the Discovery Management role group. By default, no user has these permissions, which means that users and administrators do not have permissions to search other user's mailboxes. Therefore we will create a new user account named RestoreUser.

Permissions can be assigned from the Exchange Control Panel ECP or the Exchange Management Shell. We will first show how to assign the permissions using the ECP.

1. At the Exchange Management Console expand Toolbox, and double-click Role Based Access Control (RBAC) User Editor to open the ECP.

   

2. Log on using an account having permissions to open the RBAC User Editor, such as Administrator.

3. Click on Administrator Roles, then double-click the Discovery Management role group, as shown:

   

4. Next we will add the RestoreUser we created previously as a member:

   

Alternatively the permissions could be assigned using the Exchange Management Shell cmdlet:
Add-RoleGroupMember "Discovery Management" -Member RestoreUser

Restoring an email item using Single Item Recovery

Once RestoreUser has the appropriate permissions, we can proceed with searching the mailbox and recover the item of interest. This can be performed using both ECP and Exchange Management Shell.

In this procedure, the mailbox being searched is referred to as the Source Mailbox. The mailbox where items are restored is the Target Mailbox. The search process requires that we enter a Search Criteria needed to identify the item to be restored.

First we will see how to search and recover through the ECP interface, where we will be logged as RestoreUser. At the ECP select Mail Control, then click on New in order to open the New Mailbox Search window:

In the New Mailbox Search window, we can choose from different search criteria. In our example, we will enter the sender "IT Manager", and the mailbox that will be searched, "Vladimir Meloski".

In the same window we should specify a search name, for example "Deleted message from IT Manager", as well as the destination mailbox, by default the Discovery Search Mailbox. It is also recommended to select the option 'Send me an e-mail when the search is done', since the search might take long. The lower part of the same window is shown in the picture below:

Once the search is completed successfully, the following window will be displayed, which will contain the search name, the search status, as well as number and size of items discovered.

We can open the message that is discovered, by clicking open, which will redirect us to a new window, opening the Discovery Search Mailbox in OWA, as shown:

Finally we have recovered the message, located at the target mailbox, which by default is the Discovery Search Mailbox.

We can also search for the message using the Exchange Management Shell:
Search-Mailbox "Vladimir Meloski" -SearchQuery "from:'IT Manager'" -TargetMailbox "Discovery Search Mailbox" -TargetFolder "Deleted message from IT Manager" -LogLevel Full

Restoring the deleted item can be performed using the cmdlet:
Search-Mailbox "Discovery Search Mailbox" -SearchQuery "from:'IT Manager'" -TargetMailbox "Vladimir Meloski" -TargetFolder "Recovered Items" -LogLevel Full

Note: In order to run the Search-Mailbox cmdlet, the user must have the Mailbox Import Export role assigned. This role assignment can be performed from the Exchange Control Panel or Exchange Management Shell.

Once we complete this cmdlet, the mailbox content of the user will have the deleted item restored, as shown in the picture that follows:

Conclusion

Single Item Recovery enables us to protect email items from accidental or intentional deletion. In this article we recovered an item without using any backup. In addition depending on the scenario, restore time using Exchange Native Data Protection is considerably shorter comparing to traditional backup and restore procedures.