I'm trying to perform a MailboxSearch on my singular Journaling Mailbox.  

I'm trying to extract all e-mails TO or FROM "joe.smith", but as we know, the Journaling Mailbox stores the original e-mails as attachments.

Fortunately, the "actual e-mail" in the Journaling Mailbox has a body which contains meta-data, including the attached e-mails FROM and TO.

I think it's safe to assume I can search the Journaling Mailbox for any e-mail with:

Body containing "Sender: Joe.Smith" OR "Recipient: Joe.Smith"

...but my AQS for the SearchQuery parameters must be incorrect because I never get proper results, if any.

Is my assumption correct, and what is the proper SearchQuery (AQS) for this?

1. FYI the TO, FROM, CC and BCC information are not in the body they are in the Message Header

2. Check out this https://technet.microsoft.com/en-us/library/dd298064%28v=exchg.150%29.aspx

3. This is a 2010 post that should help as well https://social.technet.microsoft.com/forums/exchange/en-US/636b8da5-7243-46a8-ace9-841b50aa6fe3/discovery-mailbox-search-limitation

3. You may want to consider using the in-place eDiscovery & Hold option https://technet.microsoft.com/en-us/library/dd298021%28v=exchg.150%29.aspx

4. If you want something more graphical and the ability to search the Production version of the Journal OR an offline copy check out our DigiScope product http://www.lucid8.com/product/digiscope.asp

Regarding your item #1, what you're saying is true; however in the case of a Journal, the body also contains TO and FROM as actual text data in the body of the e-mail.  The Journal'ed e-mail is then an attachment.

The attached e-mail's headers will of course also have that data, as per norm.   However, New-MailboxSearch will not search attachment contents, that I can see.

• Edited by Button Master 10 hours 9 minutes ago

OK so have you opened one of the emails that should be producing a hit and look at the source of the document to see how the TO, FROM is being represented under the sheets?  Could be that you need to use the users full email address as represented within the email source

Regarding your item #1, what you're saying is true; however in the case of a Journal, the body also contains TO and FROM as actual text data in the body of the e-mail.  The Journal'ed e-mail is then an attachment.

The attached e-mail's headers will of course also have that data, as per norm.   However, New-MailboxSearch will not search attachment contents, that I can see.

• Edited by Button Master Wednesday, May 20, 2015 9:19 PM

Regarding your item #1, what you're saying is true; however in the case of a Journal, the body also contains TO and FROM as actual text data in the body of the e-mail.  The Journal'ed e-mail is then an attachment.

The attached e-mail's headers will of course also have that data, as per norm.   However, New-MailboxSearch will not search attachment contents, that I can see.

• Edited by Button Master Wednesday, May 20, 2015 9:19 PM

Hi Button,

Is there any update on this thread?

Best regards,

I had exact same problem and i tried a lot of things but ended up something like below which helped me.

In your traget folder where you going to restore this mails create 2 folder Fromuser and To user and run below query.

Search-Mailbox -Identity "Journal mailbox" -SearchQuery "To:'user@domain.com'" -TargetMailbox "Targetmailbox" -TargetFolder ToUser

Search-Mailbox -Identity "Journal mailbox" -SearchQuery "from:'user@domain.com'" -TargetMailbox "Targetmailbox" -TargetFolder FromUser