为就地电子数据展示搜索创建自定义管理范围Create a custom management scope for In-Place eDiscovery searches

您可以使用一个自定义管理作用域让特定人员或组使用就地电子数据展示搜索 Exchange Online 组织中的邮箱的子集。例如,您可能想要让发现管理员在特定位置或部门中搜索仅用户的邮箱。您可以通过创建一个自定义管理作用域来执行此操作。此自定义管理作用域使用收件人筛选器来控制可搜索的邮箱。收件人筛选器作用域使用筛选器面向特定收件人根据收件人类型或其他收件人的属性。You can use a custom management scope to let specific people or groups use In-Place eDiscovery to search a subset of mailboxes in your Exchange Online organization. For example, you might want to let a discovery manager search only the mailboxes of users in a specific location or department. You can do this by creating a custom management scope. This custom management scope uses a recipient filter to control which mailboxes can be searched. Recipient filter scopes use filters to target specific recipients based on recipient type or other recipient properties.

就地电子数据展示,可用于创建自定义范围的收件人筛选器的用户邮箱的唯一属性是通讯组成员身份 (的实际属性名为_MemberOfGroup_)。如果您使用其他属性,如_CustomAttributeN_、部门_或_PostalCode,搜索将失败时运行由已分配的自定义范围的角色组的成员。For In-Place eDiscovery, the only property on a user mailbox that you can use to create a recipient filter for a custom scope is distribution group membership (the actual property name is MemberOfGroup). If you use other properties, such as CustomAttributeN, Department, or PostalCode, the search fails when it's run by a member of the role group that's assigned the custom scope.

要了解有关管理作用域的详细信息,请参阅:To learn more about management scopes, see:

在开始之前,您需要知道什么?What do you need to know before you begin?

  • 估计完成时间:15 分钟Estimated time to complete: 15 minutes

  • 如前面所述,仅可以使用组成员身份为收件人筛选器创建自定义的收件人筛选器作用域的旨在用于电子数据展示。任何其他收件人属性不能用于创建电子数据展示搜索的自定义范围。请注意,不能为动态通讯组的成员使用之一。As previously stated, you can only use group membership as the recipient filter to create a custom recipient filter scope that is intended to be used for eDiscovery. Any other recipient properties can't be used to create a custom scope for eDiscovery searches. Note that membership in a dynamic distribution group can't be used either.

  • 执行步骤 1 到 3,允许发现管理员导出使用自定义管理作用域的电子数据展示搜索的搜索结果。Perform steps 1 through 3 to let a discovery manager export the search results for an eDiscovery search that uses a custom management scope.

  • 如果您的发现管理员不需要预览搜索结果,则可以跳过步骤 4。If your discovery manager doesn't need to preview the search results, you can skip step 4.

  • 如果您的发现管理员不需要复制搜索结果,则可以跳过步骤 5。If your discovery manager doesn't need to copy the search results, you can skip step 5.

步骤 1:将用户分为若干通讯组以进行电子数据展示Step 1: Organize users into distribution groups for eDiscovery

若要在您的组织搜索邮箱的子集或缩小的源邮箱的发现管理员可以搜索范围,将需要进行分组到一个或多个通讯组的邮箱的子集。当您在步骤 2 中创建一个自定义管理作用域时,您将使用这些通讯组作为收件人筛选器创建自定义管理作用域。这样,发现管理器来搜索仅指定组的成员的用户的邮箱。To search a subset of mailboxes in your organization or to narrow the scope of source mailboxes that a discovery manager can search, you'll need to group the subset of mailboxes into one or more distribution groups. When you create a custom management scope in step 2, you'll use these distribution groups as the recipient filter to create a custom management scope. This allows a discovery manager to search only the mailboxes of the users who are members of a specified group.

您可以使用现有通讯组进行电子数据展示,也可以创建新的通讯组。请参阅本主题结尾的More information,查看有关如何创建可用于作用域电子数据展示搜索的通讯组的提示。You might be able to use existing distribution groups for eDiscovery purposes, or you can create new ones. See More information at the end of this topic for tips on how to create distribution groups that can be used to scope eDiscovery searches.

步骤 2:创建自定义管理作用域Step 2: Create a custom management scope

现在,您将创建一个自定义管理作用域 (使用_MemberOfGroup_收件人筛选器) 通讯组的成员的定义。向角色组用于电子数据展示应用此作用域后,角色组的成员可以搜索邮箱的用户是用来创建自定义管理作用域的通讯组的成员。Now you'll create a custom management scope that's defined by the membership of a distribution group (using the MemberOfGroup recipient filter). When this scope is applied to a role group used for eDiscovery, members of the role group can search the mailboxes of users who are members of the distribution group that was used to create the custom management scope.

此过程使用 Exchange 命令行管理程序命令创建一个名为渥太华用户电子数据展示作用域的自定义作用域。它指定一个名为渥太华用户的通讯组作为自定义作用域的收件人筛选器。This procedure uses Exchange Management Shell commands to create a custom scope named Ottawa Users eDiscovery Scope. It specifies the distribution group named Ottawa Users for the recipient filter of the custom scope.

  1. 运行此命令获取渥太华用户组的属性,并将属性保存到一个变量,该变量可用于下一个命令。Run this command to get and save the properties of the Ottawa Users group to a variable, which is used in the next command.

    $DG = Get-DistributionGroup -Identity "Ottawa Users"
    
  2. 运行此命令,根据渥太华用户通讯组的成员身份创建一个自定义管理作用域。Run this command to create a custom management scope based on the membership of the Ottawa Users distribution group.

    New-ManagementScope "Ottawa Users eDiscovery Scope" -RecipientRestrictionFilter "MemberOfGroup -eq '$($DG.DistinguishedName)'"
    

    通讯组的可分辨名称包含在变量 $DG 中,用于为新的管理作用域创建收件人筛选器。The distinguished name of the distribution group, which is contained in the variable $DG, is used to create the recipient filter for the new management scope.

步骤 3:创建管理角色组Step 3: Create a management role group

在此步骤中,您创建一个新的管理角色组并分配您在步骤 2 中创建的自定义作用域。添加合法保留和邮箱搜索角色,以便角色组成员可以执行就地电子数据展示搜索并将邮箱置于就地保留或诉讼保留状态。您还可以向该角色组添加成员,以便他们可以搜索属于在步骤 2 中用于创建自定义作用域的通讯组的成员的邮箱。In this step, you create a new management role group and assign the custom scope that you created in step 2. Add the Legal Hold and Mailbox Search roles so that role group members can perform In-Place eDiscovery searches and place mailboxes on In-Place Hold or Litigation Hold. You can also add members to this role group so they can search the mailboxes of the members of the distribution group used to create the custom scope in step 2.

在下面的示例中,渥太华用户电子数据展示管理员安全组将作为成员添加到该角色组。您可以使用命令行管理程序或 EAC 执行此步骤。In the following examples, the Ottawa Users eDiscovery Managers security group will be added as members this role group. You can use either the Shell or the EAC for this step.

使用命令行管理程序创建管理角色组Use the Shell to create a management role group

运行此命令,创建一个使用在步骤 2 中创建的自定义作用域的新角色组。该命令还会添加合法保留和邮箱搜索角色,并将渥太华用户电子数据展示管理员安全组添加为新角色组的成员。Run this command to create a new role group that uses the custom scope created in step 2. The command also adds the Legal Hold and Mailbox Search roles, and adds the Ottawa Users eDiscovery Managers security group as members of the new role group.

New-RoleGroup "Ottawa Discovery Management" -Roles "Mailbox Search","Legal Hold" -CustomRecipientWriteScope "Ottawa Users eDiscovery Scope" -Members "Ottawa Users eDiscovery Managers"

使用 EAC 创建管理角色组Use the EAC to create a management role group

  1. 在 EAC 中,转到"权限"*"管理员角色",然后单击"新建"In the EAC, go to *Permissions > Admin roles, and then click NewAdd Icon.

  2. 添加图标In New role group, provide the following information:

    • 名称提供的新角色组的描述性名称。对于此示例,您应使用渥太华发现管理。Name Provide a descriptive name for the new role group. For this example, you'd use Ottawa Discovery Management.

    • 写入作用域选择您在步骤 2 中创建的自定义管理范围。此作用域将应用于新角色组。Write scope Select the custom management scope that you created in step 2. This scope will be applied to the new role group.

    • 写入作用域 选择您在步骤 2 中创建的自定义管理作用域。Roles Click AddAdd Icon, and add the Legal Hold and Mailbox Search roles to the new role group.

    • 成员单击添加添加图标,然后选择用户、 安全组或要添加为新角色组的成员的角色组。此示例中,为渥太华用户电子数据展示管理员安全组的成员能够搜索仅渥太华用户通讯组的成员的用户的邮箱。Members Click AddAdd Icon, and select the users, security group, or role groups that you want add as members of the new role group. For this example, the members of the Ottawa Users eDiscovery Managers security group will be able to search only the mailboxes of users who are members of the Ottawa Users distribution group.

  3. 成员 单击"添加" 添加图标,选择您想添加为新角色组成员的用户、安全组或角色组。Click Save to create the role group.

    在此示例中,"渥太华用户电子数据展示管理员"安全组的成员将只能搜索属于"渥太华用户"通讯组成员的用户的邮箱。Here's an example of what the New role group window will look like when you're done.

    单击"保存"创建角色组。

下面是您完成后"新角色组"窗口的外观示例。(Optional) Step 4: Add discovery managers as members of the distribution group used to create the custom management scope

(可选)步骤 4:将发现管理员添加为用于创建自定义管理作用域的通讯组的成员You only need to perform this step if you want to let a discovery manager preview eDiscovery search results.

Run this command to add the Ottawa Users eDiscovery Managers security group as a member of the Ottawa Users distribution group.

Add-DistributionGroupMember -Identity "Ottawa Users" -Member "Ottawa Users eDiscovery Managers"

您可以使用 EAC 向通讯组添加成员。有关详细信息,请参阅创建和管理通讯组You can also use the EAC to add members to a distribution group. For more information, see Create and manage distribution groups.

您还可以使用 EAC 将成员添加到通讯组。(Optional) Step 5: Add a discovery mailbox as a member of the distribution group used to create the custom management scope

(可选)步骤 5:将发现邮箱添加为用于创建自定义管理作用域的通讯组的成员You only need to perform this step if you want to let a discovery manager copy eDiscovery search results.

Run this command to add a discovery mailbox named Ottawa Discovery Mailbox as a member of the Ottawa Users distribution group.

Add-DistributionGroupMember -Identity "Ottawa Users" -Member "Ottawa Discovery Mailbox"

备注

若要打开发现邮箱和查看搜索结果,发现管理员必须分配发现邮箱的完全访问权限。有关详细信息,请参阅创建发现邮箱To open a discovery mailbox and view the search results, discovery managers must be assigned Full Access permissions for the discovery mailbox. For more information, see Create a discovery mailbox.

您如何知道操作成功?How do you know this worked?

下面是一些方法,以验证您是否已成功实现电子数据展示的自定义管理作用域。当验证时,请确保运行电子数据展示搜索的用户是使用自定义管理作用域的角色组的成员。Here are some ways to verify if you've successfully implemented custom management scopes for eDiscovery. When you verify, be sure that the user running the eDiscovery searches is a member of the role group that uses the custom management scope.

  • 创建电子数据展示搜索,选择用于创建作为待搜索邮箱的源的自定义管理作用域的通讯组。应成功搜索所有邮箱。Create an eDiscovery search, and select the distribution group that was used to create the custom management scope as the source of mailboxes to be searched. All mailboxes should be successfully searched.

  • 创建电子数据展示搜索,并搜索不用于创建自定义管理作用域的通讯组的成员的任何用户的邮箱。搜索应失败,因为发现管理员可以仅搜索是用来创建自定义管理作用域的通讯组的成员的用户的邮箱。在这种情况下,如错误"无法搜索邮箱<邮箱名称>因为当前用户不具有访问邮箱的权限"将返回。Create an eDiscovery search, and search the mailboxes of any users who aren't members of the distribution group that was used to create the custom management scope. The search should fail because the discovery manager can only search mailboxes for users who are members of the distribution group that was used to create the custom management scope. In this case, an error such as "Unable to search mailbox < name of mailbox> because the current user does not have permissions to access the mailbox" will be returned.

  • 创建电子数据展示搜索,并搜索用来创建自定义管理作用域的通讯组的成员的用户的邮箱。在相同的搜索,包括不成员的用户的邮箱。搜索部分应成功。应成功搜索的邮箱的用于创建自定义管理作用域的通讯组的成员。出现故障的不是组的成员的用户的邮箱搜索。Create an eDiscovery search, and search the mailboxes of users who are members of the distribution group that was used to create the custom management scope. In the same search, include the mailboxes of users who aren't members. The search should partially succeed. The mailboxes of members of the distribution group used to create the custom management scope should be successfully searched. The search of mailboxes for users who aren't members of the group should fail.

详细信息More information

  • 详细信息Because distribution groups are used in this scenario to scope eDiscovery searches and not for message delivery, consider the following when you create and configure distribution groups for eDiscovery:

    • 关闭成员资格与创建通讯组,以便可以添加或从组中删除只能由所有者组成员。如果您在命令行管理程序中创建的组,使用语法MemberJoinRestriction closedMemberDepartRestriction closedCreate distribution groups with a closed membership so that members can be added to or removed from the group only by the group owners. If you're creating the group in the Shell, use the syntax MemberJoinRestriction closed and MemberDepartRestriction closed.

    • 启用组审阅以便向组发送任何消息将首先发送到可以批准或拒绝该邮件相应组审阅人。如果您在命令行管理程序中创建的组,使用语法ModerationEnabled $true。如果您正在使用 EAC,您可以创建组后启用审阅。Enable group moderation so that any message sent to the group is first sent to the group moderators who can approve or reject the message accordingly. If you're creating the group in the Shell, use the syntax ModerationEnabled $true. If you're using the EAC, you can enable moderation after the group is created.

    • 隐藏从组织的共享的地址簿通讯组。创建组后,请使用 EAC 或Set-distributiongroup cmdlet。如果您正在使用命令行管理程序,使用语法HiddenFromAddressListsEnabled $trueHide the distribution group from the organization's shared address book. Use the EAC or the Set-DistributionGroup cmdlet after the group is created. If you're using the Shell, use the syntax HiddenFromAddressListsEnabled $true.

      在下面的示例中,第一个命令创建启用封闭成员身份和仲裁的通讯组。第二个命令将组从共享地址簿中隐藏。In the following example, the first command creates a distribution group with closed membership and moderation enabled. The second command hides the group from the shared address book.

    New-DistributionGroup -Name "Vancouver Users eDiscovery Scope" -Alias VancouverUserseDiscovery -MemberJoinRestriction closed -MemberDepartRestriction closed -ModerationEnabled $true
    
    Set-DistributionGroup "Vancouver Users eDiscovery Scope" -HiddenFromAddressListsEnabled $true
    

    有关创建和管理通讯组的详细信息,请参阅创建和管理通讯组For more information about creating and managing distribution groups, see Create and manage distribution groups.

  • 尽管您只能使用通讯组成员身份作为用于电子数据展示的自定义管理作用域的收件人筛选器,但您可以使用其他收件人属性将用户添加到该通讯组。下面是根据常规用户或邮箱属性,使用 Get-MailboxGet-Recipient cmdlet 返回特定用户组的一些示例。Though you can use only distribution group membership as the recipient filter for a custom management scope used for eDiscovery, you can use other recipient properties to add users to that distribution group. Here are some examples of using the Get-Mailbox and Get-Recipient cmdlets to return a specific group of users based on common user or mailbox attributes.

    Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'Department -eq "HR"'
    
    Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'CustomAttribute15 -eq "VancouverSubsidiary"'
    
    Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'PostalCode -eq "98052"'
    
    Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'StateOrProvince -eq "WA"'
    
    Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize unlimited -OrganizationalUnit "namsr01a002.sdf.exchangelabs.com/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com"
    
  • 然后可以使用从前面的示例创建可使用Add-distributiongroupmember cmdlet 用于将一组用户添加到通讯组的变量。在下面的示例,第一个命令创建包含其用户帐户中包含的_部门_属性的值Vancouver的所有用户邮箱的变量。第二个命令将这些用户添加到温哥华用户通讯组。You can then use the examples from the previous bullet to create a variable that can be used with the Add-DistributionGroupMember cmdlet to add a group of users to a distribution group. In the following example, the first command creates a variable that contains all user mailboxes that have the value Vancouver for the Department property in their user account. The second command adds these users to the Vancouver Users distribution group.

    $members = Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'Department -eq "Vancouver"'
    
    $members | ForEach {Add-DistributionGroupMember "Ottawa Users" -Member $_.Name}
    
  • 您可以使用Add-rolegroupmember cmdlet 将成员添加到现有角色组具有用于范围电子数据展示搜索。例如,以下命令将用户 admin@ottawa.contoso.com 向渥太华发现管理角色组。You can use the Add-RoleGroupMember cmdlet to add a member to an existing role group that's used to scope eDiscovery searches. For example, the following command adds the user admin@ottawa.contoso.com to the Ottawa Discovery Management role group.

    Add-RoleGroupMember "Vancouver Discovery Management" -Member paralegal@vancouver.contoso.com
    

    您还可以使用 EAC 将成员添加到角色组。有关详细信息,请参阅Manage Role Group Members中的“将成员添加到角色组”部分。You can also use the EAC to add members to a role group. For more information, see the "Add members to a role group" section in Manage Role Group Members.

  • 在 Exchange Online 中,一个用于电子数据展示的自定义管理作用域不能用于搜索非活动邮箱。这是因为非活动邮箱不能为通讯组的成员。例如,假设用户是用来创建自定义管理作用域的电子数据展示的通讯组的成员。然后该用户离开组织,并且他们的邮箱 (通过发出的诉讼保留或就地保留邮箱,然后删除相应的 Office 365 用户帐户) 进行非活动状态。结果是用户已从任何通讯组,其中包括用于创建自定义管理作用域用于电子数据展示的组成员身份。如果发现管理员 (属于已分配的自定义管理作用域的角色组的成员) 将失败尝试搜索非活动邮箱搜索。若要搜索非活动邮箱,发现管理员必须是发现管理角色组或有权搜索整个组织任何角色组的成员。In Exchange Online, a custom management scope used for eDiscovery can't be used to search inactive mailboxes. This is because an inactive mailbox can't be a member of a distribution group. For example, let's say that a user is a member of a distribution group that was used to create a custom management scope for eDiscovery. Then that user leaves the organization and their mailbox is made inactive (by placing a Litigation Hold or In-Place hold on the mailbox and then deleting the corresponding Office 365 user account). The result is that the user is removed as a member from any distribution group, including the group that was used to create the custom management scope used for eDiscovery. If a discovery manager (who is a member of the role group that's assigned the custom management scope) tries to search the inactive mailbox, the search will fail. To search inactive mailboxes, a discover manager must be a member of the Discovery Management role group or any role group that has permissions to search the entire organization.

    有关非活动邮箱的详细信息,请参阅 Inactive mailboxes in Exchange OnlineFor more information about inactive mailboxes, see Inactive mailboxes in Exchange Online.