Exchange PS commands - help

Dashrender

I've enabled logs on my exchange server for my providers. We would like to know who is not deleting old appointments, and creating new ones, instead of just updating the old one.

I'm currently using Search-MailboxAuditLog alias -LogonTypes Admin,Delegate -ShowDetails -StartDate date -EndData date

This does a good job of telling me all the things that have happened from either Admin or Delegate users - everything.
I tack on | Where-Object {$.Operation -eq "Update"} and now it only shows me records that have been updated vs say HardDeleted or SoftDeleted.

What I would like to know is - what exactly did they do? Is it possible for me to tell that they changed the date or time? or change the subject line or body?

Here's the output for just one record:

RunspaceId                    : b2e0e86a-xxxxxxxxxxxxxxxxxxxxxxxxxbe6
Operation                     : Update
OperationResult               : Succeeded
LogonType                     : Delegate
ExternalAccess                : False
DestFolderId                  : 
DestFolderPathName            : 
FolderId                      : LgAAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxARLWgGYZEN28PAAAACXVnAAAB
FolderPathName                : \Calendar
ClientInfoString              : Client=MSExchangeRPC
ClientIPAddress               : 199.199.199.199
ClientMachineName             : 
ClientProcessName             : OUTLOOK.EXE
ClientVersion                 : 16.0.4291.1000
InternalLogonType             : Delegated
MailboxOwnerUPN               : [email protected]
MailboxOwnerSid               : S-1-5-21x8783-1538882281-3865
DestMailboxOwnerUPN           : 
DestMailboxOwnerSid           : 
DestMailboxGuid               : 
CrossMailboxOperation         : 
LogonUserDisplayName          : User who accessed it PP
LogonUserSid                  : S-1-5-21-4xxxxxxxxxxxxxxxxxxxxx8882281-2739
SourceItems                   : {} 
SourceFolders                 : {}
SourceItemIdsList             : 
SourceItemSubjectsList        : 
SourceItemFolderPathNamesList : 
SourceFolderIdsList           : 
SourceFolderPathNamesList     : 
ItemId                        : RgAAAAxxxxxxxxxxxxxxxxxxxjar/xKqOBwDOHdqFJZoARLWgGYZssssssssssssddddddddddARLWgGYZEN28PAAA
                            Qzt6dAAAP
ItemSubject                   : patient/Repair of urethrocutaneous fistula/gen/asc/assist jjm
DirtyProperties               : MapiEndTime, PR_END_DATE, MapiStartTime, PR_START_DATE, ReminderNextTime, ReminderDueBy
                            Internal
OriginatingServer             : UR-EXCHANGE-10 (14.03.0227.000)
MailboxGuid                   : 8b9586f4-c2ssssssssssss9c5f50d53
MailboxResolvedOwnerName      : owner of mailbox
LastAccessed                  : 4/13/2016 9:45:10 AM
Identity                      : RgAAAADmxxxxxxxxxxxxxxxxxxxxxxxx/xKxxxxxxxxxxxxxgGYZEN28PAAAAEBqnAADOHdqFJZoARLWgGYZEN28PAAA
                            Q6aAdAAAJ
IsValid                       : True

nadnerB

I don't think that you can view the contents of the change action.

Going through this article , I couldn't find any references to what you are looking for.

You could try adding | Select * | FL on the end but I don't think that will provide the contents of the update action.

Dashrender

Here's a cool PS script I found that creates a nice htm file of the output.

https://gallery.technet.microsoft.com/scriptcenter/Generate-a-Report-of-a33cde56