Flashcards in Compliance, Archiving, eDiscovery, Auditing Deck (81)
What effect does adding a Personal Tag to a Retention Policy have?
Mailbox users get access to the Personal Tags that are included in the Retention Policy that is assigned to their mailbox.
Users can manually add these Personal Tags to any folder or item, except for any folder that already has an RPT assigned to it (however, they can assign Personal Tags to items within that folder).
What is MFA?
Managed Folder Assistant
• A background process that constantly runs on an Exchange server
• Processes mailboxes that have Retention Policies assigned to them, to:
– stamp folders and items with retention tags
– perform retention actions when retention period has passed
• The MFA process is throttled so it doesn't compete for resources with more important processes, thus actions are not necessarily always processed immediately upon reaching their period.
What happens when you remove a Retention Tag from a Retention Policy?
• MFA will not stamp that tag to any more mailbox items
• Folders and items that were receiving that tag through inheritence will inherit a new tag
• Folders and items that had already been directly assigned the tag will RETAIN the tag (because the tag still exists as a tag definition in AD, even though it's no longer in the policy).
What happens when you Delete a Retention Tag?
• The Tag definition no longer exists in AD
• Items that were previously tagged are reprocessed by MFA and a new tag is stamped on them (usually by inheriting the parent folder tag).
How is Retention Age determined for different item types?
• For most items (including email messages), retention age is based on delivery date or creation date.
• For Recurring Calendar and Task items, retention age is based on their end date.
• (For items with no end to their recurrence, retention period never expires.)
What is a Retention Hold?
• A Retention Hold will put a hold on any retention actions from being executed even after the retention period has passed.
• It is set on a per-mailbox basis.
• Once the End Date is reached, the MFA will start taking action on expired items.
• The hold can either be removed manually, or be configured with an automatic End Date.
What are a couple example use-cases for configuring a Retention Hold?
It is useful for:
• Testing Retention Policies (to see how MFA will stamp items, without actually taking actions)
• Periods of prolonged absence such as maternity leave or sabbatical, so a user's unread items won't be archived while they are away.
What is Exchange Online Archiving?
• Works the same as on-premises Archiving, except the Archive Mailboxes are hosted in Office 365
What is a Remote Archive?
• A mailbox archive that is hosted in Office 365 instead of on-prem Exchange
• Essentially, a synonym for the feature of Exchange Online Archiving.
What are the pre-requisites for Exchange Online Archiving to work?
• Directory synchronization
• A hybrid configuration
• Retention tags must be exported to Office 365 tenant, so the cloud MFA can continue to process tags on items in Archives
What are the steps to configure a mailbox for Exchange Online Archiving?
1) Use directory synchronization to sync the user to Office 365
2) Assign an Exchange Online Archiving license to the user
3) Enable the user's mailbox for remote archiving
4) Wait for synchronization of the changes (which can take several hours)
What is eDiscovery?
• A Compliance Management feature.
– Tools for searching mailbox contents during investigations and legal cases
– Options for "holding" the results (preserving the data so it can't be deleted).
– A user-friendly web portal for searches, so they can be performed by non-technical people
What is KQL?
Keyword Query Language
The query syntax used both in Outlook for searches, and for eDiscovery searches
What actions can be taken on items found in eDiscovery searches?
• Preserve data in-place (In-Place Hold)
• Copy data to another location
• Export data (e.g. to PST)
• Remove data from mailboxes
What do eDiscovery searches depend on?
Healthy and up-to-date Content Indexes.
Any new items that have not been indexed yet will not show up in search results.
How are eDiscovery searches performed?
• User must be added to "Discovery Management" role group (which is empty by default) in order to perform eDiscovery searches
• Searches are performed in EAC
• Searches use KQL queries
• Can search one or multiple mailboxes
• Can search, for example, based on:
– Recipient types
– Message types
• Searches are queued once created. Once status changes to "Estimate Succeeded," the search results are available.
What is a Discovery Mailbox?
The results of an eDiscovery search can be exported to a maibox, called a discovery mailbox.
The discovery mailbox will store the search results in a folder with the same name as the Search name.
What is a Discovery Search Mailbox?
Another term for a Discovery Mailbox.
What is a Compliance Search?
A search of mailbox items that can REMOVE the content from mailboxes.
When items are deleted by a Compliance Search, where do they go?
They are sent to the Recoverable Deleted Items folder, where end-users can recover them.
What is the cmdlet to perform a Compliance Search?
(a new cmdlet for 2016. Earlier versions used the more limited Search-Mailbox)
What is an In-Place Hold?
• A premium feature that requires an Enterprise CAL.
• Part of eDiscovery, the results of a search query will be held so they cannot be permanently deleted.
What is the goal of a Hold?
To preserve mailbox contents, either indefinitely or to a desired date, in a way that is invisible to end users
What is the difference between an In-Place Hold and a Litigation Hold?
• In-Place Hold:
Based on an eDiscovery search query, and applied to all content that matches the query, no matter where it's located.
• Litigation Hold:
Applied to an entire mailbox, on a per-mailbox basis.
PowerShell command to apply a litigation hold for one year, or indefinitely?
• For one year:
Same as above, but add:
What are MailTips?
Messages displayed in Outlook and OWA to users while they are composing an email message, to alert them to potential mistakes or problems before they send a message.
What is this:
• Part of the MailTips feature
• A background process on Exchange
• Calculates the size of a group's membership, including nested group members
• Stamps the group object with a msExchGroupMemberCount attribute.
• Since it's a background process, it may not always be up-to-date.
What are examples of MailTips that may be displayed to a user?
• A Distribution Group contains X number of recipients (when it is over a threshold).
• A recipient's mailbox is full
• A recipient has an Automatic reply set (and displays the reply)
• A custom MailTip configured on a Mailbox to display a message
What are Message Classifications?
• Labels applied (either by Exchange or by users) to messages to describe the intended use or audience of the message.
• They are set by users by the "Set Permissions" menu.
• Only internal to the organization; stripped from headers when sent externally.
• Only visual suggestions; they are not enforced (though Transport Rules can be configured to take action based on them).