Targeted Email Removal with Exchange Online Powershell

In the course of administering an Exchange Online instance I’m occasionally asked to locate and remove an email (or set of emails) from the entire tenant. The quickest way to do this is via PowerShell:

Connect to the Exchange Online instance, enter your credentials when prompted:


Next, Connect to the Security and Compliance Center PowerShell, entering your credentials again when prompted:


Now that you’re connected, you can create a new compliance search to locate the email(s) you wish to remove:

New-ComplianceSearch [SearchName] -ExchangeLocation 'All' -ContentMatchQuery 'from: "*"'

In the example above, I’m searching for all content across all mailboxes from a specific domain (e.g., but you can modify the scope of the search by adjusting the location and content match query (i.e. searching by subject or just looking at specific mailboxes/folders etc.).

Once the search is created, you will need to start it:

Start-ComplianceSearch [SearchName]

While the search is ongoing, you can check on its status:

Get-ComplianceSearch [SearchName]

NOTE: You can use the |fl parameter to obtain additional information on the compliance search status.

Once completed, you can use the purge the emails located by the search:

New-ComplianceSearchAction -SearchName [SearchName] -Purge -PurgeType SoftDelete


Email Hide and Go Seek: How to locate a specific email (down to the folder) in Office 365 using PowerShell

In many organizations, end users receive too much email to manage effectively. Many utilize rules to filter emails into specific buckets to make them easier to find. Over time, these rules compound, and could eventually lead to unintended consequences (i.e. receiving an email but being unable to find it).

When this happens, I’d typically run a quick message trace to establish whether the email was actually delivered or not. Many admins will stop there, advising the end-user to check their rule settings, but using PowerShell, we can find the email(s) for them!

First, let’s get logged into the Office 365 tenant:

$Credential = Get-Credential
$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "" -Credential $credential -Authentication "Basic" -AllowRedirection
Import-PSSession $ExchangeSession

Next, we can determine how many emails match the criteria in case there are more than one (Optional):

search-mailbox -EstimateResultOnly -identity [target user] -searchquery 'from:"[sender emai]" AND subject:"subject"'

Now for the coup de grâce, to reconstruct precisely which folder and sub-folder(s) of where the email(s) that match that criteria are in the user’s inbox:

search-mailbox -identity [recipient] -searchquery 'from:"[sender]" AND subject:"[subject] "' -targetmailbox "[your email] " -targetfolder "SearchResults"

In your inbox, you’ll see a folder called ‘SearchResults’. Using this, you can guide the end-user through the folder structure on their own Inbox that they’ll need to traverse to get to the desired email(s).

Obscure Skype for Business desktop sharing issue

A colleague of mine reported an issue with Skype for Business where he was unable to either share his screen (or application or PowerPoint presentation), nor could others share their screens with him.

From the user’s side, clicking on the Present button allowed him to toggle what he wanted to share, which would appear to work – the border indicated “connecting” while the recipient(s) waited for the presentation to begin. After 30-40 seconds, the presentation error (…”the invitation has expired”) and time out.

If you encounter this issue, you can try the following registry hack, which worked for me:

  1. Open Regedit as an administrator
  2. Navigate to:
  3. Add the following DWORD and value:
    MaxUserPort=0000x3a98 (15000)
  4. Reboot for the changes to take effect.

You can find more information about MaxUserPort and other TCP/IP registry settings here. This issue seems to be newly introduced with Windows 10 version 1809.

Microsoft CSAT Survey II: Someone Listened!

It’s not often something changes for the better, but I’m always pleased when they do!

Once again, I’ve found myself tasked with attaining Microsoft Gold level partnership for my employer. For those who have never had the pleasure, the process consists of attaining a combination of competencies (associated certified professionals, tested products etc.), customer references and the dreaded CSAT (Customer Satisfaction) survey.

In the past, the CSAT consisted of 30 questions, many of which applied to Microsoft product resale, which isn’t applicable to many would-be partners.While questions could be added (though I can’t imagine why anyone would want to), none could be removed.

Since then (about April of 2013 or so), the survey was reduced to only 5 questions that actually pertain to customer satisfaction – imagine that!

It’s hard enough asking for a customer’s time to fill out a survey, but if I must, I’d prefer it be short and to the point. I believe this iteration of the CSAT does just that.

So why the change? Did someone at Microsoft read my 2009 rant on the subject and act accordingly? Doubtful, but it’s a nice thought anyway :). Regardless, I’m happy it did, and hope this trend continues!

Reestablishing Trust Between a Workstation and Domain When the Local Administrator account is Disabled

Disclaimer: Circumventing windows security should NOT be taken lightly, and should only be used by an authorized person as a last resort in the course of recovery or repair. Mumbo Jumbo aside, remember that YOU ALONE are responsible for your own actions, so be sure that you know what you’re doing before making any changes!

From time to time, a workstation (usually a laptop) becomes disjoined from your domain, and starts throwing the following error:

"The trust relationship between this workstation and the primary domain failed."

When this happens, any attempt to login using a domain user account will fail. The traditional fix goes something like this:

  1. Log in using a Local Administrator Account
  2. Swap the domain membership to a workgroup (e.g. TEMP)
  3. Reboot and log back in (Local Administrator Account)
  4. Change the workgroup back to the domain

But what if the local user account is disabled, you’ve forgotten the password or someone changed it? That’s where Hiren’s Boot CD comes in!

If you’re not familiar with Hiren’s Boot CD, you’re missing out on a wealth of tools that can you help you recover data, clear viruses, and even reset passwords! In this scenario, we’re going to use the Offline NT Password Changer.

  1. Insert Hiren’s Boot CD and boot from your optical drive
  2. Navigate to the Offline NT/2000/XP/Vista/7 Password Changer
  3. Next, select the partition where Windows is installed (usually C:\)
  4. Verify that you’re using the correct Registry Path (usually Windows/system32/config)
  5. At this point, you can elect to enable disabled accounts (if the local Administrator account is diabled) and/or change the password. In either case, you’ll need to enter the username you’d like to edit – I would recommend a default user account (e.g. Administrator)
  6. When done, press ! to quit the editor, followed by Y to confirm your changes
  7. Remove Hiren’s Boot CD and reboot

I hope this helps someone! Feel free to post your comments or questions.

Further reading: