A user did not receive and email from another that she knew was sent. I eventually found it in the directory she thought it should have gone to, but it was hidden. The way I found this out was by downloading and running the MFCMAPI tool. MFCMAPI reveals many more attributes than are normally visible – one PRATTRHIDDEN among them. But I very much doubt I would never have found had I not known the exact folder, time, sender & subject of the email. I also found how many emails are hidden in the inbox by running:
(Get-EXOMailboxFolderStatistics -Identity myUser@myDomain.com -FolderScope Inbox)[0].HiddenItemsInFolder
I found something like 60 out of over 2700 emails were hidden (she apportions most emails to subfolders; most users have 10’s of thousands.) But I could find no way to find out more information on those missing items like date, sender, subject. I suppose I theoretically could have opened every email using MFCMAPI and searched for that PRATTRHIDDEN. But that’s not feasible.
To complicate matters, some hidden items aren’t really hidden items. You can find them by running:
(Get-EXOMailboxFolderStatistics myUser@myDomain.com -FolderScope RecoverableItems)[6] | select FolderPath, VisibleItemsInFolder, HiddenItemsInFolder, ItemsInFolder
And she didn’t have any such anyway.
I can find the folder ID for her Inbox and run an eDiscovery search. And that will return all the emails in the Inbox. But again, I’d have to wade through all those and compare what I see in her Inbox to try to ferret out the 60 that are missing.
It’d be nice if eDiscover could filter on PRATTRHIDDEN.