IIS PowerShell SharePoint 2010 SharePoint 2013 SharePoint 2016 Site Collection 

Find out Who has Deleted a Site Collection in SharePoint

Salaudeen Rajack 1 Comment

Requirement: Find out who has deleted a site collection in SharePoint 2016 server.

find who deleted a sharepoint site

How to Find Who Deleted a SharePoint Site?

Unfortunately, there are no direct ways to find out who deleted a SharePoint site. The PowerShell cmdlet “Get-SPDeletedSite” gets you all deleted site collections without any hint about the user who deleted the site. So, How do you find who deleted a SharePoint site? The only available way is to scan IIS Logs in SharePoint web front end servers for the specific URL “/_layouts/15/webdeleted.aspx” that gets called when a user deletes the site from the site settings page.

PowerShell to find out who deleted a SharePoint site:

Scanning through each log file could be cumbersome. But PowerShell can help! This PowerShell script scans through all IIS log files of the given web application in the past 30 days. Set the parameter $WebAppURL at the end of the script and execute it.

#Import necessary Modules
Import-Module WebAdministration
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Function to get Log Folder of the SharePoint Web Application
Function Get-IISLogFolder($WebAppURL)
{
    #Get Web Applications' IIS Settings
    $WebApp = Get-SPWebApplication $WebAppURL
    $IISSettings = $WebApp.IISSettings[[Microsoft.SharePoint.Administration.SPUrlZone]::Default]
    $WebSiteName = $IISSettings.ServerComment

    #Get Log Folder from Web Site
    $WebSite = Get-Website -Name $WebSiteName
    $LogLocation = "$($WebSite.LogFile.Directory)\w3svc$($WebSite.id)".Replace("%SystemDrive%",$Env:SystemDrive)
    Return $LogLocation
}

#Function to Parse IIS Log
Function Parse-IISLog {

 [CmdletBinding()]
    [OutputType([System.Data.DataTable])]
 param(
  [Parameter(Mandatory=$True, ValueFromPipeline=$True)][string[]]$LogFilePath
        )
 BEGIN {
        $LogDataTable = New-Object System.Data.DataTable
        $FieldsString = Get-Content -Path $LogFilePath | Select -First 5 | Where {$_ -Like "#[F]*"}
        $Fields = $FieldsString.substring(9).split(' ');
        $FieldsCount = $Fields.count - 1
    }
 PROCESS {
        for($i=0;$i -lt $FieldsCount;$i++) {
            $LogDataTable.Columns.Add($Fields[$i]) | Out-Null   
        }
        $Content = Get-Content -Path $LogFilePath | Where {$_ -notLike "#[D,S,V,F]*" } | ForEach-Object {
            $Row = $LogDataTable.NewRow()
            for($i=0;$i -lt $FieldsCount;$i++) {
                $Row[$i] = $_.Split(' ')[$i]
            }
            $LogDataTable.Rows.Add($row)
        }
    }
    END {
        $PSCmdlet.WriteObject($LogDataTable)
    }
}

#Function to search IIS Logs for a given URL in given web application
Function Search-IISLogs($WebAppURL, [String]$SearchURL)
{
    #Get IIS Log Folder
    $IISLogFolder = Get-IISLogFolder $WebAppURL

    #Get IIS Log files created in the past 30 days
    $IISLogFiles = Get-ChildItem -Path $IISLogFolder -Recurse | Where {$_.CreationTime  -Gt (Get-Date).AddDays(-30)}

    ForEach($LogFile in $IISLogFiles)
    {
        Write-host "Processing Log File:"$LogFile.FullName -f Yellow
        $IISLogData = Parse-IISLog $LogFile.FullName

        #Search Data
        $SearchResults = New-Object System.Data.DataView($IISLogData)
        $SearchResults.RowFilter = "[cs-uri-stem] like '%$SearchURL%'"

        #Result
        If ($SearchResults.Count -gt 0) 
        {
            Write-Host "`tFound Site Deletion!" -ForegroundColor Green
            $SearchResults | Select date, time, cs-uri-stem, cs-username, "cs(Referer)" | Format-Table
        } 
        Else 
        {
            Write-Host "`tNo Site Deletions Found!" -ForegroundColor DarkYellow
        }
    }
}

#Parameters
$WebAppURL="https://intranet.crescent.com"

#Call the function to search site deletions
Search-IISLogs $WebAppURL "/_layouts/15/webdeleted.aspx"

This script gets you the details of the deleted site collection, such as who has deleted it, date, time, etc. Make sure you are running this script on all web front-end servers if you have more than one!

What if the site collection is deleted from Central Admin?

How about site collections deleted through the SharePoint Central Administration site? Well, to search central admin, change the last two lines in the above PowerShell script.

#Call the function to search deleted sites from Central Admin
$CentralAdminURL =  Get-SPWebApplication -IncludeCentralAdministration | Where {$_.IsAdministrationWebApplication} | Select -ExpandProperty URL
Search-IISLogs $CentralAdminURL "/_admin/delsite.aspx"

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

One thought on “Find out Who has Deleted a Site Collection in SharePoint

  • Another great script! Thanks for this. Have a question though.. Is there any way I can detect PowerShell or programmatic deletions as well.

    TIA

    Reply

Leave a Reply