Exchange PS commands - help
-
I've enabled logs on my exchange server for my providers. We would like to know who is not deleting old appointments, and creating new ones, instead of just updating the old one.
I'm currently using
Search-MailboxAuditLog alias -LogonTypes Admin,Delegate -ShowDetails -StartDate date -EndData date
This does a good job of telling me all the things that have happened from either Admin or Delegate users - everything.
I tack on| Where-Object {$.Operation -eq "Update"}
and now it only shows me records that have been updated vs say HardDeleted or SoftDeleted.What I would like to know is - what exactly did they do? Is it possible for me to tell that they changed the date or time? or change the subject line or body?
Here's the output for just one record:
RunspaceId : b2e0e86a-xxxxxxxxxxxxxxxxxxxxxxxxxbe6 Operation : Update OperationResult : Succeeded LogonType : Delegate ExternalAccess : False DestFolderId : DestFolderPathName : FolderId : LgAAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxARLWgGYZEN28PAAAACXVnAAAB FolderPathName : \Calendar ClientInfoString : Client=MSExchangeRPC ClientIPAddress : 199.199.199.199 ClientMachineName : ClientProcessName : OUTLOOK.EXE ClientVersion : 16.0.4291.1000 InternalLogonType : Delegated MailboxOwnerUPN : [email protected] MailboxOwnerSid : S-1-5-21x8783-1538882281-3865 DestMailboxOwnerUPN : DestMailboxOwnerSid : DestMailboxGuid : CrossMailboxOperation : LogonUserDisplayName : User who accessed it PP LogonUserSid : S-1-5-21-4xxxxxxxxxxxxxxxxxxxxx8882281-2739 SourceItems : {} SourceFolders : {} SourceItemIdsList : SourceItemSubjectsList : SourceItemFolderPathNamesList : SourceFolderIdsList : SourceFolderPathNamesList : ItemId : RgAAAAxxxxxxxxxxxxxxxxxxxjar/xKqOBwDOHdqFJZoARLWgGYZssssssssssssddddddddddARLWgGYZEN28PAAA Qzt6dAAAP ItemSubject : patient/Repair of urethrocutaneous fistula/gen/asc/assist jjm DirtyProperties : MapiEndTime, PR_END_DATE, MapiStartTime, PR_START_DATE, ReminderNextTime, ReminderDueBy Internal OriginatingServer : UR-EXCHANGE-10 (14.03.0227.000) MailboxGuid : 8b9586f4-c2ssssssssssss9c5f50d53 MailboxResolvedOwnerName : owner of mailbox LastAccessed : 4/13/2016 9:45:10 AM Identity : RgAAAADmxxxxxxxxxxxxxxxxxxxxxxxx/xKxxxxxxxxxxxxxgGYZEN28PAAAAEBqnAADOHdqFJZoARLWgGYZEN28PAAA Q6aAdAAAJ IsValid : True
-
I don't think that you can view the contents of the change action.
Going through this article , I couldn't find any references to what you are looking for.
You could try adding
| Select * | FL
on the end but I don't think that will provide the contents of the update action. -
Here's a cool PS script I found that creates a nice htm file of the output.
https://gallery.technet.microsoft.com/scriptcenter/Generate-a-Report-of-a33cde56