Find out Who has Deleted a Site Collection in SharePoint
Requirement: Find out who has deleted a site collection in SharePoint 2016.
How to Find Who Deleted a SharePoint Site?
Unfortunately, there are no direct ways to find out who deleted a SharePoint site. The PowerShell cmdlet "Get-SPDeletedSite" gets you all deleted site collections, without any hint about the user who deleted the site. So, How to find who deleted a SharePoint site? The only available way is: scan IIS Logs in SharePoint web front end servers for the specific URL "/_layouts/15/webdeleted.aspx" that gets called when a user deletes the site from the site settings page.
PowerShell to find out who deleted a SharePoint site:
Scan through each log file could be cumbersome. But PowerShell can help! This PowerShell script scans through all IIS log files of the given web application in the past 30 days. Just set the parameter $WebAppURL at the end of the script and execute it.
#Import necessary Modules Import-Module WebAdministration Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue #Function to get Log Folder of the SharePoint Web Application Function Get-IISLogFolder($WebAppURL) { #Get Web Applications' IIS Settings $WebApp = Get-SPWebApplication $WebAppURL $IISSettings = $WebApp.IISSettings[[Microsoft.SharePoint.Administration.SPUrlZone]::Default] $WebSiteName = $IISSettings.ServerComment #Get Log Folder from Web Site $WebSite = Get-Website -Name $WebSiteName $LogLocation = "$($WebSite.LogFile.Directory)\w3svc$($WebSite.id)".Replace("%SystemDrive%",$Env:SystemDrive) Return $LogLocation } #Function to Parse IIS Log Function Parse-IISLog { [CmdletBinding()] [OutputType([System.Data.DataTable])] param( [Parameter(Mandatory=$True, ValueFromPipeline=$True)][string[]]$LogFilePath ) BEGIN { $LogDataTable = New-Object System.Data.DataTable $FieldsString = Get-Content -Path $LogFilePath | Select -First 5 | Where {$_ -Like "#[F]*"} $Fields = $FieldsString.substring(9).split(' ') $FieldsCount = $Fields.count - 1 } PROCESS { for($i=0;$i -lt $FieldsCount;$i++) { $LogDataTable.Columns.Add($Fields[$i]) | Out-Null } $Content = Get-Content -Path $LogFilePath | Where {$_ -notLike "#[D,S,V,F]*" } | ForEach-Object { $Row = $LogDataTable.NewRow() for($i=0;$i -lt $FieldsCount;$i++) { $Row[$i] = $_.Split(' ')[$i] } $LogDataTable.Rows.Add($row) } } END { $PSCmdlet.WriteObject($LogDataTable) } } #Function to search IIS Logs for a given URL in given web application Function Search-IISLogs($WebAppURL, [String]$SearchURL) { #Get IIS Log Folder $IISLogFolder = Get-IISLogFolder $WebAppURL #Get IIS Log files created in the past 30 days $IISLogFiles = Get-ChildItem -Path $IISLogFolder -Recurse | Where {$_.CreationTime -Gt (Get-Date).AddDays(-30)} ForEach($LogFile in $IISLogFiles) { Write-host "Processing Log File:"$LogFile.FullName -f Yellow $IISLogData = Parse-IISLog $LogFile.FullName #Search Data $SearchResults = New-Object System.Data.DataView($IISLogData) $SearchResults.RowFilter = "[cs-uri-stem] like '%$SearchURL%'" #Result If ($SearchResults.Count -gt 0) { Write-Host "`tFound Site Deletion!" -ForegroundColor Green $SearchResults | Select date, time, cs-uri-stem, cs-username, "cs(Referer)" | Format-Table } Else { Write-Host "`tNo Site Deletions Found!" -ForegroundColor DarkYellow } } } #Parameters $WebAppURL="http://intranet.crescent.com" #Call the function to search site deletions Search-IISLogs $WebAppURL "/_layouts/15/webdeleted.aspx"
This script gets you the details of the deleted site collection, such as who has deleted it, date, time, etc. Make sure you are running this script on all web front-end servers if you have more than one!
What if the site collection is deleted from Central Admin?
How about site collections deleted through SharePoint Central Administration site? Well, to search central admin, change the last two lines in the above PowerShell script.
#Call the function to search deleted sites from Central Admin $CentralAdminURL = Get-SPWebApplication -IncludeCentralAdministration | Where {$_.IsAdministrationWebApplication} | Select -ExpandProperty URL Search-IISLogs $CentralAdminURL "/_admin/delsite.aspx"
Another great script! Thanks for this. Have a question though.. Is there any way I can detect PowerShell or programmatic deletions as well.
ReplyDeleteTIA