Exchange 2010 Litigation Hold (Part 1)

by [Published on 28 June 2012 / Last Updated on 28 June 2012]

In this article series the author will explain what Litigation Hold is, how to use it and how it defers from other similar Exchange functionalities.

If you would like to read the next part in this article series please go to Exchange 2010 Litigation Hold (Part 2).

Introduction

A feature not widely used by Exchange administrators is Litigation Hold which was introduced in Exchange 2010 RTM. In some cases, there may be no need or regulatory requirement to implement it but, there are instances where users do not implement it due to lack of understanding of what exactly Litigation Hold is and how it differs from Single Item Recovery and Retention Hold.

Litigation is, simply put, the conduct of a lawsuit. When an employee or an organization faces a lawsuit or even expects one, it is required to keep all information related to the case, whether this is information on paper or most commonly, electronically stored. If all relevant information is not kept, the subject of the lawsuit might undergo further legal action, sanctions or fines.

Nowadays e-mail plays a very important role in these situations due to its vast use and it is crucial to keep every single e-mail message related to the case. But how do you prevent users from advertently or inadvertently deleting e-mails needed for the investigation? What about Messaging Records Management [MRM]? Do you just temporarily disable it for all your Exchange databases? This is where Litigation Hold comes in, allowing administrators to easily:

  • Preserve deleted or edited mailbox items (by users);
  • Preserve automatically deleted mailbox items (by MRM);
  • Search and capture items placed on hold;

All of this is easily achieved my simply placing a mailbox on Litigation Hold as we will see below.

How does it Work?

To learn how Litigation Hold works, we first need to talk about a feature that Exchange 2010 also introduced (or better yet, improved) called Recoverable Items folder (previously known as the Dumpster) to protect against accidental or malicious deletion of mailbox items and to help with eDiscovery. This special folder, which resides in the non-IPM sub tree of each mailbox (a storage area that contains operational data about the mailbox), is used by the following Exchange features:

  • Deleted Item Retention;
  • Single Item Recovery;
  • Litigation Hold;
  • Mailbox Audit Logging.

Under this folder, there are 4 subfolders:

  • Deletions, which contains all mailbox items deleted from the Deleted Items folder and is exposed to users through the Recover Deleted Items feature in Outlook and Outlook Web App [OWA];
  • Versions, which if Litigation Hold or Single Item Recovery is enabled, contains the original and modified copies of the items. This folder is not visible to end users;
  • Purges, which if Litigation Hold or Single Item Recovery is enabled, contains all items that were hard deleted from the Deletions folder. This folder is not visible to end users;
  • Audits, which if Mailbox Audit Logging is enabled for a mailbox, contains the audit log entries.

 


Figure 1.1: Location of the Recoverable Items folder seen using MFCMapi

Items in the Recoverable Items folder are kept for the deleted item retention period configured on the user's mailbox database, which is 14 days by default. If a mailbox is not placed on Litigation Hold, items are permanently purged from the Recoverable Items folder when the item has remained in the folder where it resides for longer than the deleted item retention period.

If, however, the mailbox is on Litigation Hold, every item is kept:

  • If a user deletes an item from the Deleted Items folder or shift-deletes it from any folder (soft delete), the item is moved to Recoverable Items\Deletions folder, where it can be recovered using the Outlook and OWA Recover Deleted Items view;
  • If the user purges data from the Recover Deleted Items view (hard delete from the Recoverable Items\Deletions folder), the item is moved to the Recoverable Items\Purges folder;
  • If a user modifies an item, a copy of the original item is placed in the Recoverable Items\Versions folder, by a process called copy-on-write page protection.

The following diagram shows how this process works when a mailbox is on Litigation Hold (or enabled for Single Item Recovery for that matter):

 


Figure 1.2: How items are preserved

When a mailbox is on Litigation Hold, items in the Deletions subfolder are moved to the Purges subfolder after 14 days, preventing users from knowing their mailbox is on Litigation Hold, but are never purged from this folder!

So what changes trigger this copy-on-write page protection process? The following table demonstrates which properties of a message trigger it when modified:

Item

Properties that trigger copy-on-write

Messages or Posts

  • Subject
  • Body
  • Attachments
  • Sender and Recipients
  • Sent and Received Dates

Other items other than Messages or Posts

Any change to a visible property, except:

  • When an item is moved between folders
  • Item status change (read or unread)
  • Changes to a retention tag applied to an item

Draft items and RSS feeds

None. These items are exempt from copy-on-write page protection

Table 1.1: Mailbox item properties that trigger copy-on-write

Placing a Mailbox on Litigation Hold

Note:
To place a mailbox on Litigation Hold, you need to be assigned the Discovery Management or Legal Hold role-based access control role by using the Exchange Control Panel or running the following cmdlet:

Add-RoleGroupMember “Discovery Management” -Member <user>

If you are running Exchange 2010 RTM, you have to use the Exchange Management Shell [EMS] with the Set-Mailbox cmdlet to place a mailbox on Litigation Hold as we will see below. With SP1 and above, you can also use the Exchange Management Console [EMC] or the Exchange Control Panel [ECP]. All three methods achieve the same result, so it’s up to the administrator which one to use. Let’s have a look at all of them:

Exchange Management Console

  1. In the console tree, navigate to Recipient Configuration and then Mailbox;
  2. Find the mailbox you want to place on Litigation Hold and go to its Properties;
  3. In <UserMailbox> Properties, select the Mailbox Settings tab, select Messaging Records Management and then click Properties.

 


Figure 1.3: Enabling mailbox for Litigation Hold using the EMC

In here, select the Enable Litigation Hold check box and, optionally:

  • Enter a URL to a webpage or document with more information about the Litigation Hold for the user. This URL is displayed in the Backstage area of Microsoft Outlook 2010 as you can see from Figure 1.4;
  • Enter some text that you also want displayed in Outlook.

Both these options will help users understand why their mailbox is on Litigation Hold and what it means from a users’ perspective. If you do not use them, users will not know their mailbox is on Litigation Hold, which might be useful in some situations.

Note:
This text and URL do not appear in Outlook Web App or any other mail client, only Outlook 2010 as part of Office 2010 Professional Plus!

 


Figure 1.4:
Message and URL regarding Litigation Hold on user’s Outlook

Exchange Control Panel

  1. In the ECP, select Manage My Organization, Users & Groups and then Mailboxes;
  2. Select the mailbox to put on Litigation Hold and click Details;
  3. Under Mailbox Features, select Litigation Hold and click Enable;
  4. As in the EMC, you can configure text and a URL to be displayed in Outlook;
  5. Click OK and then Save;
  6. Click Close.

 


Figure 1.5:
Enabling mailbox for Litigation Hold using the ECP

You can also run a Litigation Hold report from the ECP to check which users have had Litigation Hold enabled or disabled for their mailbox. To run it, go to the ECP -> Manage My Organization -> Roles & Auditing > Auditing > Run a Litigation Hold report...

 


Figure 1.6:
Litigation Hold Report

Exchange Management Shell

With the EMS there are 5 parameters that can be used:

    • LitigationHoldEnabled which when set to $True places the mailbox on Litigation Hold and when set to $False removes it from Litigation Hold;
    • LitigationHoldDate specifies the date when the mailbox is placed on Litigation Hold. This parameter is populated automatically but it can also be manually set for informational or reporting purposes. Note that the mailbox is placed on Litigation Hold when the cmdlet is run no matter what date you put in!
    • LitigationHoldOwner specifies who placed the mailbox on Litigation Hold. This parameter is also populated automatically but it can be used for informational and reporting purposes;
    • RetentionComment is the informational text users will see in Outlook;
    • RetentionUrl is the URL users will see in Outlook.

 


Figure 1.7:
Enabling mailbox for Litigation Hold using the EMS

Conclusion

In this first part of this article, we looked at what Litigation Hold is, how it works and how to enable it. In the second and final part we will talk about if it impacts backups, the limit quota that is set on the Recoverable Items folder and how Litigation Hold differs from Single Item Recovery and Retention Hold.

If you would like to read the next part in this article series please go to Exchange 2010 Litigation Hold (Part 2).

Advertisement

Featured Links