30 Jun 2013

Find Mailboxes on Litigation Hold or In-Place Hold

Posted by Juergen

Sometimes companies do not want that a user is aware that his mailbox is put on hold, and they do not want that users are able to see which other mailboxes are on hold.

By default, this is not the case. An Exchange administrator can use the following two commands to list all mailboxes in the Exchange organization that are on litigation hold or included in an in-place hold.

Get-mailbox -Filter { LitigationHoldEnabled -eq $true } | fl name, LitigationHold*, InPlace*

Get-Mailbox | Where-Object { $_.InplaceHolds -ne $null } | fl name, LitigationHold*, InPlace*

A user can use Remote PowerShell to check whether his mailbox is on hold.

Get-mailbox | fl name, LitigationHold*, InPlace*

clip_image002

Exchange Server 2010 litigation hold and the “legacy” litigation hold in Exchange Server 2013 are using the AD user attributes msExchLitigationHoldDate and msExchLitigationHoldOwner to store information about litigation hold.

Exchange Server 2013 in-place hold is using the AD user attribute msExchUserHoldPolicies.

Default security in AD allows authenticated users read access to all attributes. This enables a user to use a LDAP browser to search for users in AD with a mailbox put on hold. Therefore, a user is not only able to verify whether his mailbox is on hold, he is also able to find other users with a mailbox on hold. One of my customer rated this as a security breach.

clip_image004

I am going to investigate whether it is possible to hide this information and if this would be a supported configuration.

Comments are closed.

  • Browse

    or
  • Calendar

    November 2024
    M T W T F S S
     123
    45678910
    11121314151617
    18192021222324
    252627282930  
  • Tag Cloud

  • Categories