Restoring items from Enterprise Vault for 365 users is the single most painful thing I have ever had to do in my life… EV is literally the devil. So hopefully by documenting the method I used to restore these Items I can save someone from many a sleepless night. The basis of this problem is that once a user has been migrated to the 365 exchange the Enterprise Vault server can no longer see the users mailbox and thus is unable to restore vaulted items.

In order to restore the items to the user’s mailbox the vaulted items need to be recovered to an on-prem account, restored and then returned to the mailbox. The method I used to achieve this is as follows.

1. Extract the vaulted items from the users mailbox
Extracting the vaulted items is probably the most difficult task as you want to extract only the items that are vaulted while maintaining the folder structure that the user has in their outlook. The first think to do is get full access to the user’s mailbox. This can be don’t from > admin > exchange > mailboxes. There are guides all over google for how to do this if you get stuck ;)

Once you have granted yourself full access to the user’s mailbox you will need to start outlook on your machine and create a new profile. Fill out the name and email address fields with the users details, make sure to leave the password field blank.


Upon hitting next you will be asked for credentials, put your credentials in here as you should have access to the user’s mailbox. Make sure to tick the ‘remember my credentials’ box. Outlook should then open to the user’s mailbox. You will need to go into mailbox settings and set outlook to cache the whole mailbox offline.


You will need to restart outlook and wait for it to cache the mailbox, this could take a while depending on the size of the mailbox. We cache the whole mailbox because only cached items are picked up when we scan the mailbox for vaulted items.

I wrote a PowerShell script that scans the current mailbox for vaulted items and makes a copy of them to ‘c:/vaultedmail’ while retaining folder structure. Running this script could take a while if the mailbox is large. The script will also generate some logs to help diagnose errors, these logs are stored at ‘c:/scans/’.

#script written by Nathan Kewley 2015

#file path saving output
$emailPathLog = "c:\Scans\emailFiles.csv";

#initial script setup
$ol = new-object -com Outlook.Application
$ns = $ol.GetNamespace("MAPI")

#variables to keep track of current folder to keep folder structure in tact
$masterDir = "c:\vaultedmail\" + $ol.Application.DefaultProfileName  + "\";
$currentDir = "c:\vaultedmail\" + $ol.Application.DefaultProfileName  + "\";

#counter so emails are not overwritten
$counter = 0;

#get the vault folder
$vault = $namespace.Folders | ?{$ -match "Inbox"}

#check if the email is vaulted, if so move it to the local drive keeping folder structure in tact
function checkMail($mail){
    if($mail.body -like "*has been archived*"){
        write-host("Vaulted Item Detected" + $counter);
        $filename = $currentDir + "mail" + $counter + ".msg";
        $filename >> $emailPathLog;

#recursivly scan all items and subfolders in users mailbox
function Get-MailboxFolder($folder){
    write-host $, $folder.items.count

    #create directory for the folder
    $path = $currentDir + $ + "\";
    New-Item -ItemType directory -Path $path;
    $currentDir = $path;

    foreach($mail in $folder.items){

    foreach ($f in $folder.folders){
        Get-MailboxFolder $f

#start a transcript
Start-Transcript -Path "c:\Scans\log.txt";

#initial script setup
$ol = new-object -com Outlook.Application
$ns = $ol.GetNamespace("MAPI")
$mailbox = $ns.stores | where {$_.ExchangeStoreType -eq 0}
$mailbox.GetRootFolder().folders | foreach { Get-MailboxFolder $_}

When the script has finished you will have extracted all the vaulted items from the users mailbox (Note: there is a small error margin for some mailboxes).

2. Get the vaulted Items back on prem
You will need to use your ‘vault service account’ or alternatively any other account that has permissions to restore any items from the vault. Log into a pc using your ‘vault service account’ and start outlook. You will need to copy the folder structure containing the vaulted items to this pc. To import this folder structure into outlook I used a third party tool called ‘msg to pst’, it seems to work ok. Use ‘msg to pst’ on the folder structure and it will import it into the ‘vault service account’ mailbox. It might be an idea to change the name of the imported folder to the name of the end user. Note that this tool will append the title text of the emails with something like ‘msg to pst trial version’. Don’t worry about this, this text will disappear when the vaulted item is restored.

3. Restore the vaulted items.
You should be able to restore the vaulted items from the ‘vault service account’ mailbox using the EV add in just like normal. Easy! :) Once you have un-vaulted all the items export the folder from outlook as a .pst

4. Return the items to the end user
You will need to open up outlook to the users mailbox using the profile you created for them earlier. Once back in their mailbox you will need to do an import from the pst using outlooks inbuilt import/export wizard. When importing you will need to match up the ‘inbox’ folder in the pst to the ‘inbox’ folder in the mailbox. You may need to do multiple imports from the pst if there were vaulted items in other folders like ‘sent items’.


Once you have imported all the items the user will have 2 versions of every vaulted email in their mailbox, one that is vaulted and one that you have restored. The last step to completing the restoration is to remove all the vaulted stubs. You can search the whole mailbox with the search term ‘messageclass:ipm.note.enterprisevault’ which will show you all the vaulted items. Then select all, delete. Done!

Also, don’t forget to remove your permissions from the users mailbox once you are done.