When an email is deleted, where does it go? It goes to the Deleted Items folder.
When the deleted items folder is emptied, where does it go? It goes to a hidden folder called deletions. The duration that deleted items remain in this folder is based on the deleted item retention settings configured for the mailbox database or the mailbox. By default, a Exchange 2010 mailbox database is configured to retain deleted items for 14 days, and the recoverable items warning quota and recoverable items quota are set to 20 gigabytes (GB) and 30 GB respectively. These are configurable settings with Exchange on-premise:
http://technet.microsoft.com/en-us/library/ee364752.aspx
With Exchange Online, Plan 2, you can increase this from 14 to 30 days. The Recoverable Items folder does not count against the user’s primary mailbox.
http://jorgerdiaz.wordpress.com/2012/07/19/office-365-changes-legal-hold-and-single-item-recovery/
Note: These items can still be recovered by the end-user by highlighting the folder and clicking ‘Recover Deleted Items.’
When this recoverable items folder is purged, where do those emails go?
It depends on whether single-item recovery has been enabled on the mailbox. When Single-item recovery is enabled on a mailbox and the recoverable items folder is emptied, these items remain in a hidden folder that the user cannot alter in any way: Recoverable Items\Purges.
Two mechanisms can be used to configure Single Item Recovery in Exchange 2010:
- rolling legal hold = Time limited safeguarding of data where the items are stored in the Recoverable Items folder based on a predefined retention period. In this case, the retention period is set per mailbox (or the mailbox database defaults will apply if a specific value is not set for the mailbox).
- litigation hold = Unlimited safeguarding of data -where Items in the recovery folder will never be purged. Retention period and quota limitation set on a “litigation hold” mailbox will be ignored. This would ensure that deleted mailbox items and record changes won’t be purged.
The following example assigns a 7 year rolling legal hold on a mailbox. It is important to note the mailbox won’t be on Legal Hold for 7 years, this is actually a tag stating any new message will be retained for 7 years once created or received by the mailbox. So a message that arrives on 2.6.2013 will be kept until 2.6.2020.
Set-Mailbox –identity [email protected] –LitigationHoldEnabled $True –LitigationHoldDuration 2555
With Single Item Recovery enabled, items will remain in the Recoverable Items\Purges folder even if the mailbox owner deletes items from their inbox, empties the Deleted Items folder and then purges the contents of the dumpster. These items can then be searched for by a compliance officer if required, as the items are both indexed and discoverable. Additionally, these items will move with the mailbox if the mailbox is moved to a different mailbox database.
Why not always enable single item recovery?
1. You need to make sure you plan for the additional disk space required. See this article for more information on planning for single item recovery.
http://www.msexchange.org/articles-tutorials/exchange-server-2010/high-availability-recovery/single-item-recovery-part2.html
2. You have to enable it on each individual mailbox, you can’t set a policy that says “all mailboxes will always have it enabled.” It would be awesome if newly created mailboxes could automatically be enabled for single item recovery, but that is not how Exchange currently works.
But what if you want to move those items out of the Recoverable Items\Purges and back into the user’s mailbox?
Recovering items from this hidden Purges folder can only be performed by an Exchange or Office 365 Administrator.
There are three options for restoring items from the Purges folder. My favorite is Option 3 (MFCMAPI) because it can restore the items back to the user’s deleted items folder.
Option 1: You can use powershell
http://technet.microsoft.com/en-us/library/ff660637.aspx
Option 2: You can use the Exchange Control Panel’s eDiscovery search
Create an In-Place eDiscovery Search
or
Option 3: Use MFCMAPI
Instructions for using MFCMAPI to restore items from the Purges folder.
1. Download MFCMAPI (use this tool at your own risk!)
http://mfcmapi.codeplex.com/releases/view/97321
2. Follow the screen-shots on my older post that I have not yet migrated the pictures to this blog:
Summary
While this tool is very powerful, it can also be very destructive (just like Regedit) so this author is not responsible for any damages caused by misuse of this tool. This post is for educational purposes only, use at your own risk!
References
Achieving Immutability with Exchange Online and Exchange Server 2010
History of MFCMAPI
Additional things you can do with MFCMAPI
The Cloud Technologist 