The
e-mail compliance capabilities introduced in Exchange Server 2007 and
built on in Exchange Server 2010 are focused on regulatory compliance
and legal discovery. In this context, legal discovery refers to the
requirement to produce all relevant e-mail during litigation, usually
as the result of a subpoena. Compliance can generally be divided into
three categories:
Regulatory
Governmental regulations are normally the driving force behind
regulatory compliance. Regulatory compliance has been a predominant
concern to the financial services and healthcare sectors, but is also a
matter of importance to virtually all public and private sectors.
Public sector organizations typically also are expected to comply to
access to information requests from citizens. Some examples of
regulations affecting the private sector in the United States include
Sarbanes-Oxley, SEC Rule 17A-4, Gramm-Leach-Bliley, and the Health
Insurance Portability and Accountability Act (HIPAA); concerns for the
public sector include the Freedom of Information Act and the Federal
Information Security Management Act (FISMA). Finally, protection of
privacy information is a primary concern for all organizations, whether
in the public or private sectors.
Legal (court-ordered) Litigation is commonly the driving force behind legal compliance.
Internal
Internal compliance in most cases boils down to risk mitigation for the
organization. These risks can encompass concerns such as privacy
breaches, financial loss, human resources concerns such as
harassment/discrimination, corporate liability (criminal or civil),
intellecThe messaging records management (MRM) technology in Exchange Server 2010 provides the message retention capability discussed in the "Messaging Compliance Overview"
section of this chapter. This allows your organization as well as your
individual users to retain or remove messages as required for company
policy compliance, government regulations, or legal needs, as well to
remove e-mail that doesn't need to be retained, such as personal e-mail
or newsletter subscriptions. Removing messages that don't need to be
retained can assist in controlling mailbox growth and the resources
required to support that growth. When the age limit for retention is
reached, an e-mail can be deleted or archived, an event can be logged,
or the message can be flagged for user attention. When combined with
message classification, AD RMS integration, and transport rules, MRM
can provide a comprehensive e-mail compliance solution.
The MRM implementation in Exchange Server 2010 is composed of retention
tags and retention policies; retention policies are collections of
retention tags, which are then applied to mailboxes. We will cover
retention policies in more detail in the Section 8.2.1.2 section of this chapter.
Managed folders and managed folder mailbox policies, the Exchange Server 2007 implementation of messaging records management, are also supported in Exchange Server 2007. Managed folders can be migrated to retention policies; this will be covered in detail in the Section 8.2.1.3 section of this chapter.
Managed folders and
retention policies represent two different approaches to messaging
records management. Managed folders can be used to apply retention
settings to default mailbox folders (for example, Inbox, Sent Items,
and Calendar) and custom managed folders created by the administrator;
similar functionality can be implemented using retention policies and retention
policy tags. However, retention policy tags provide the added
flexibility of users being able to apply retention settings to
individual mail items or folders they have created in their mailboxes;
with managed folders, a user is required to move an item to a managed
folder with the appropriate retention settings applied to it. By
applying personal
folder retention policy tags to messaging items or folders, a user can
retain her folder structure and file her messaging data to her liking,
and still apply the necessary retention policies to the data. The
various types of retention policy tags and their usage will be
discussed in more detail in the Section 8.2.1.2 section of this chapter.
Note: Outlook
2007 or earlier clients don't include all of the required client
features and thus are not supported when a retention policy is assigned
to the mailbox to deliver the client experience. Outlook 2007 or
earlier clients can be used if the applicable retention policies do not
include personal tags.In addition,
journaling is not presently available with retention tags, so if you
require journaling you will need to deploy new managed folders or
retain your existing ones.
With either technology
(managed folders or retention policies), your users are taking part in
the MRM process by categorizing their messages
according to their content and associated retention requirements.
Conceptually, this categorization thought process is similar to that
for message classification.
Note: MRM requires an Exchange Server 2010 Enterprise Client Access License (CAL) for every mailbox configured for MRM.
1. Retention Tags and Retention Policies
In Exchange Server 2010,
retention tags and retention policies replace or supplement the managed
folder mailbox policies introduced in Exchange Server 2007. Exchange
Server 2010's messaging records management strategy of retention tags
and retention policies is illustrated in Figure 1.
1.1. Retention Tags
Retention
tags are definitions of retention settings that are applied to folders
and/or individual items within folders such as messages or other item
types. These settings specify the retention period for the item type,
and what action is taken when the specified age is reached; the age is
calculated in days from the delivery date, or from the creation date if
the item wasn't delivered but created within the mailbox. Retention
tags differ from managed folders in that users don't have to file items
in managed folders to satisfy retention requirements; they can tag
items and folders within their own folder structure.
The following actions can be specified when a message reaches its retention age:
Mark As Past Retention Limit Marks a message as past the limit, but does not take any further action.
Move To Deleted Items Moves the item to the Deleted Items folder.
Delete And Allow Recovery
Item is deleted, but can be retrieved from Deleted Items Recovery
within the deleted items retention period set on the mailbox database.
Permanently Delete The item is not recoverable from Deleted Items Recovery, unless litigation hold is enabled for the mailbox.
Move To Archive The item is moved to the user's configured archive mailbox.
Localized language settings can also be specified for your retention tag using the New-RetentionPolicyTag or Set-RetentionPolicyTag cmdlets. Localized names are specified in the form of the "ISO Language Code":"Tag Name" with the LocalizedRetentionPolicyTagName; for example, -LocalizedRetentionPolicyTagNameLocalizedComment parameter (for example, -LocalizedComment EN-US:"This is a localized comment in U.S. English"). Localized text (LocalizedRetentionPolicyTagName and LocalizedComment) is visible within Outlook 2010. EN-US:"Business Critical". You can also specify localized comments with the
You can create three types of retention tags: retention policy tags, default policy tags, and personal tags.
1.1.1. Retention Policy Tags
Retention policy tags (RPTs) apply retention settings to default folders within the mailbox, such as Deleted Items, Sent Items, and Contacts.
You cannot apply an RPT to individual items, although you can apply a
different tag to items within a folder with an RPT applied to it. In
addition, users can't apply a different tag to a default folder.
You can create RPTs for the following default folders:
Calendar
Deleted Items
Drafts
Inbox
Junk E-Mail
Journal
Notes
Outbox
Sent Items
Tasks
RSS Feeds
Sync Issues
Conversation History
1.1.2. Default Policy Tags
In addition to the preceding list, a default policy tag (DPT) can be created; when a DPT is added to a retention
policy and that retention policy is assigned to a mailbox, the tag
settings apply to all folders and items within the mailbox that do not
have other tags assigned or through inheritance on the folder.
Note: A retention policy can only contain a single DPT.
1.1.3. Personal Tags
Finally, you can create
personal tags. When you create a personal tag and add it to a retention
policy, a user whose mailbox the policy has been assigned to can tag
individual items or non-default folders within his mailbox with that
personal tag. The result is that the settings defined within the
personal tag are applied to the item or folder; if applied to an item,
the personal tag overrides other tags that may be assigned to the
folder, or any default policy tag applied to the mailbox. If applied to
a non-default folder, the tag replaces any tag previously assigned to
that folder.
Note: Personal tags cannot be applied to default folders.
1.1.4. Creating Retention Tags
In Exchange Server 2010 SP1, retention tags and retention policies can be created through the Exchange Management Console (EMC). The New Retention Policy Tag Wizard is shown in Figure 2.
A default policy tag is created by selecting All Other Folders In The
Mailbox as the tag type in the wizard, whereas a personal tag is
created by selecting Personal Folder. Selecting any other tag type
creates a retention policy tag.
Retention
tags can also be created via the Exchange Management Shell (EMS); it is
worth noting that localized tag names and message class settings can
only be configured through the EMS.
Note: A
mantra to keep in mind for retention tags—especially personal tags,
which are visible to the end users as choices they can make—is keep it simple. If an excessive number of retention
tag choices are presented in the Outlook 2010 or OWA interface, the
user will be more likely to give up on her attempts to use them. The
best approach is to design the absolute minimum number of retention tags and retention policies required to meet the needs of your corporate e-mail policy for the organization as a whole, keeping policies
broad enough to be used across as many mailboxes as possible. You can
then use these policies and tags as a baseline to design and deploy
other retention policies for specific sections or departments as
required, while re-using retention tags where possible. This not only
keeps the Outlook or OWA interface uncluttered, but also greatly
reduces your management overhead. Although the technology will support
creating hundreds of retention tags in hundreds of retention policies,
you will seldom have a good reason to do so.
1.2. Retention Policies
Retention policies are
collections of retention tags that you apply to mailboxes to implement
retention settings for items and folders in those mailboxes. Retention
tags cannot be applied to a mailbox directly; they must be included in
a retention policy, and that policy is then assigned to a mailbox or
mailboxes. A mailbox cannot be assigned more than one retention policy,
although retention tags can be added to or removed from a retention
policy at any time.
A retention policy can be composed of:
One or more retention
policy tags for default folders, although you can't link more than one
RPT of a particular type (such as Inbox) to a particular retention
policy.
One default policy tag.
Any number of personal tags, although it is recommended to have no more than 10 to keep it simple for users.
1.2.1. Managed Folder Assistant
Once retention policies
have been applied to mailboxes, those mailboxes are then processed by
the Managed Folder Assistant, which runs on mailbox servers and
provisions retention tags in mailboxes on a scheduled process (by
default, from 01:00 to 09:00 (1 AM to 9 AM)). If you have implemented
database availability groups (DAGs) and you wish to modify the Managed
Folder Assistant schedule, be certain to modify it on all mailbox
servers in the DAG to ensure consistent behavior in the event of a
database being activated on a different server.
Additionally, if you wish to have the Managed Folder Assistant process a mailbox immediately, you can run the Start-ManagedFolderAssistant
cmdlet. With no parameters, this causes the Managed Folder Assistant to
process all mailboxes on the local server. You can target specific
mailbox servers with the IdentityMailbox
parameter. The following example retrieves all mailboxes that resolve
from the ambiguous name resolution (ANR) search on the string "Dav";
for example, David Jones, Dave Barnett, Velimir Davidovski: parameter, or specify particular mailboxes with the
Get-Mailbox -Anr Dav | Start-ManagedFolderAssistant
1.2.2. Removing or Deleting a Retention Tag from a Retention Policy
Removing a retention tag from
a retention policy does not remove the settings defined in that tag
from items in the mailboxes the retention policy has been applied to.
The Managed
Folder Assistant continues to process items stamped with that tag, and
the retention parameters specified in the tag continue to be applied to
those items. However, removing the retention tag does make the tag
unavailable to the user; the removed tag can no longer be applied to
items in the mailbox.
To remove the retention tag's settings from mailbox items that have been stamped with it, the retention tag must be deleted. Retention tags can be deleted from the Exchange Server 2010 SP1 EMC, or with the Remove-RetentionPolicyTag cmdlet in the EMS.
Note: Deleting
a retention tag causes the Managed Folder Assistant to process all
items that have the removed tag applied and restamp them the next time
the Managed Folder Assistant runs. This may consume significant
resources on your mailbox servers depending on the number of mailboxes
and mailbox items affected.
You can also disable retention
tags in lieu of deleting them; this causes the Managed Folder Assistant
to ignore all items stamped with that tag rather than restamping them.
However, these items are still considered tagged, so any default policy
tag applied to the mailbox will not affect them; in effect, you have
suspended retention for any items marked with that retention tag. A
retention tag is disabled by selecting Disable This Tag in the
Properties dialog box for the tag in EMC, or by setting the RetentionEnabled property to $False using the Set-RetentionPolicyTag cmdlet in the EMS.
1.2.3. Creating a Retention Policy
You can create a retention policy using the New-RetentionPolicy
cmdlet or through the Exchange Server 2010 SP1 EMC. Creation consists
of specifying a name for the policy and optionally adding retention
tags to the policy and assigning the policy to mailboxes. The name of
the retention policy must be unique in the organization, and there
should be existing retention tags to link to the policy as it is
created. Although it is possible to create a retention policy with no
retention tags linked to it, it is not recommended because an empty
policy applied to a mailbox may cause items in that mailbox to never
expire.
Retention
policies are created in the Exchange Server 2010 SP1 EMC by navigating
to the Mailbox node under Organization Configuration and then selecting
New Retention Policy from the Actions pane to start the New Retention Policy Wizard. The New Retention Policy Wizard is shown in Figure 3.
The same retention policy example shown in Figure 8-3 can also be created in the EMS using the New-RetentionPolicy cmdlet:
New-RetentionPolicy "Contoso RP - VPs" -RetentionPolicyTagLinks "Contoso R&D Projects"
1.2.4. Applying a Retention Policy to Mailboxes
After a policy is created and retention
tags have been linked to it, you can apply that policy to mailboxes; no
single mailbox can have more than one policy applied to it at the same
time. Retention policies are applied using the Set-Mailbox cmdlet with the RetentionPolicy
parameter. They can also be applied through the properties of the
retention policy or the Messaging Records Management properties of a
mailbox in the Exchange Server 2010 SP1 EMC. The Messaging Records
Management properties dialog box of a mailbox is shown in Figure 4.
1.3. Migrating from Managed Folders to Retention Policies
Migrating from managed folders to retention tags and retention policies is essentially a three-step process:
Create retention tags based on the existing managed folders and their managed content settings.
Create a retention policy and link the retention tags created in Step 1 to this policy.
Apply the retention policy to mailboxes.
Rather than creating a retention tag and manually defining retention settings to match the managed
folder and managed content settings to be replaced, you can migrate the
functionality of a particular managed folder to a retention policy tag
as the tag is created. A retention policy tag can be created from an
existing managed folder using the New-RetentionPolicyTag cmdlet with the ManagedFolderToUpgrade parameter, or by using the Port From Managed Folder To Tag Wizard in Exchange Server 2010 SP1. This wizard is shown in Figure 5.
Note: If
you create a retention tag by porting an existing managed folder with
EMC or EMS, the tag created is automatically applied to the
corresponding managed folder.
Creating retention policies was covered in detail in the Section 1.2.3 section of this chapter; you can create retention policies using the New-RetentionPolicy cmdlet or by using the Exchange Server 2010 SP1 EMC. Applying a retention policy to mailboxes was covered in the Section 1.2.4 section of this article.