Hello All, Newbie to PS and I am having a had time understanding a script task. Allow me to explain.
I have a client whos calendar is missing items, the issue is he doesn’t know when it went missing and I ran a calendar audit and i found who as auditor rights, but now i need to see who deleted anything from his outlook this includes calendars and email.
the details i need to present - who accessed it name (userID) / date and time / what they deleted, the subject of the event.
here is the code: (if you have something shorter and easier, please post ) 
#Modify the values for the following variables to configure the audit log search.
$logFile = “c:\AuditLogSearch\AuditLogSearchLog.txt”
$outputFile = “c:\AuditLogSearch\AuditLogRecords.csv”
[DateTime]$start = [DateTime]::UtcNow.AddDays(-12)
[DateTime]$end = [DateTime]::UtcNow
$record = “ExchangeItemGroup”
$resultSize = 5000
$intervalMinutes = 60
#Start script
[DateTime]$currentStart = $start
[DateTime]$currentEnd = $end
Function Write-LogFile ([String]$Message)
{
$final = [DateTime]::Now.ToUniversalTime().ToString(“s”) + “:” + $Message
$final | Out-File $logFile -Append
}
Write-LogFile “BEGIN: Retrieving audit records between $($start) and $($end), RecordType=$record, PageSize=$resultSize.”
Write-Host “Retrieving audit records for the date range between $($start) and $($end), RecordType=$record, ResultsSize=$resultSize”
$totalCount = 0
while ($true)
{
$currentEnd = $currentStart.AddMinutes($intervalMinutes)
if ($currentEnd -gt $end)
{
$currentEnd = $end
}
if ($currentStart -eq $currentEnd)
{
break
}
$sessionID = [Guid]::NewGuid().ToString() + "_" + "ExtractLogs" + (Get-Date).ToString("yyyyMMddHHmmssfff")
Write-LogFile "INFO: Retrieving audit records for activities performed between $($currentStart) and $($currentEnd)"
Write-Host "Retrieving audit records for activities performed between $($currentStart) and $($currentEnd)"
$currentCount = 0
$sw = [Diagnostics.StopWatch]::StartNew()
do
{
$results = Search-UnifiedAuditLog -StartDate $currentStart -EndDate $currentEnd -RecordType $record -SessionId $sessionID -SessionCommand ReturnLargeSet -ResultSize $resultSize
if (($results | Measure-Object).Count -ne 0)
{
$results | export-csv -Path $outputFile -Append -NoTypeInformation
$currentTotal = $results[0].ResultCount
$totalCount += $results.Count
$currentCount += $results.Count
Write-LogFile "INFO: Retrieved $($currentCount) audit records out of the total $($currentTotal)"
if ($currentTotal -eq $results[$results.Count - 1].ResultIndex)
{
$message = "INFO: Successfully retrieved $($currentTotal) audit records for the current time range. Moving on!"
Write-LogFile $message
Write-Host "Successfully retrieved $($currentTotal) audit records for the current time range. Moving on to the next interval." -foregroundColor Yellow
""
break
}
}
}
while (($results | Measure-Object).Count -ne 0)
$currentStart = $currentEnd
}
Write-LogFile “END: Retrieving audit records between $($start) and $($end), RecordType=$record, PageSize=$resultSize, total count: $totalCount.”
Write-Host “Script complete! Finished retrieving audit records for the date range between $($start) and $($end). Total count: $totalCount” -foregroundColor Green
