Find out Who has Deleted a Site Collection in SharePoint

Requirement: Find out who has deleted a site collection in SharePoint 2016.

How to Find Who Deleted a SharePoint Site?

Unfortunately, there are no direct ways to find out who deleted a SharePoint site. The PowerShell cmdlet "Get-SPDeletedSite" gets you all deleted site collections, without any hint about the user who deleted the site. So, How to find who deleted a SharePoint site? The only available way is: scan IIS Logs in SharePoint web front end servers for the specific URL "/_layouts/15/webdeleted.aspx" that gets called when a user deletes the site from the site settings page.

PowerShell to find out who deleted a SharePoint site:

Scan through each log file could be cumbersome. But PowerShell can help! This PowerShell script scans through all IIS log files of the given web application in the past 30 days. Just set the parameter $WebAppURL at the end of the script and execute it.

#Import necessary Modules
Import-Module WebAdministration
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Function to get Log Folder of the SharePoint Web Application
Function Get-IISLogFolder($WebAppURL)
{
    #Get Web Applications' IIS Settings
    $WebApp = Get-SPWebApplication $WebAppURL
    $IISSettings = $WebApp.IISSettings[[Microsoft.SharePoint.Administration.SPUrlZone]::Default]
    $WebSiteName = $IISSettings.ServerComment

    #Get Log Folder from Web Site
    $WebSite = Get-Website -Name $WebSiteName
    $LogLocation = "$($WebSite.LogFile.Directory)\w3svc$($WebSite.id)".Replace("%SystemDrive%",$Env:SystemDrive)
    Return $LogLocation
}

#Function to Parse IIS Log
Function Parse-IISLog {

 [CmdletBinding()]
    [OutputType([System.Data.DataTable])]
 param(
  [Parameter(Mandatory=$True, ValueFromPipeline=$True)][string[]]$LogFilePath
        )
 BEGIN {
        $LogDataTable = New-Object System.Data.DataTable
        $FieldsString = Get-Content -Path $LogFilePath | Select -First 5 | Where {$_ -Like "#[F]*"}
        $Fields = $FieldsString.substring(9).split(' ')
        $FieldsCount = $Fields.count - 1
    }
 PROCESS {
        for($i=0;$i -lt $FieldsCount;$i++) {
            $LogDataTable.Columns.Add($Fields[$i]) | Out-Null   
        }
        $Content = Get-Content -Path $LogFilePath | Where {$_ -notLike "#[D,S,V,F]*" } | ForEach-Object {
            $Row = $LogDataTable.NewRow()
            for($i=0;$i -lt $FieldsCount;$i++) {
                $Row[$i] = $_.Split(' ')[$i]
            }
            $LogDataTable.Rows.Add($row)
        }
    }
    END {
        $PSCmdlet.WriteObject($LogDataTable)
    }
}

#Function to search IIS Logs for a given URL in given web application
Function Search-IISLogs($WebAppURL, [String]$SearchURL)
{
    #Get IIS Log Folder
    $IISLogFolder = Get-IISLogFolder $WebAppURL

    #Get IIS Log files created in the past 30 days
    $IISLogFiles = Get-ChildItem -Path $IISLogFolder -Recurse | Where {$_.CreationTime  -Gt (Get-Date).AddDays(-30)}

    ForEach($LogFile in $IISLogFiles)
    {
        Write-host "Processing Log File:"$LogFile.FullName -f Yellow
        $IISLogData = Parse-IISLog $LogFile.FullName

        #Search Data
        $SearchResults = New-Object System.Data.DataView($IISLogData)
        $SearchResults.RowFilter = "[cs-uri-stem] like '%$SearchURL%'"

        #Result
        If ($SearchResults.Count -gt 0) 
        {
            Write-Host "`tFound Site Deletion!" -ForegroundColor Green
            $SearchResults | Select date, time, cs-uri-stem, cs-username, "cs(Referer)" | Format-Table
        } 
        Else 
        {
            Write-Host "`tNo Site Deletions Found!" -ForegroundColor DarkYellow
        }
    }
}

#Parameters
$WebAppURL="http://intranet.crescent.com"

#Call the function to search site deletions
Search-IISLogs $WebAppURL "/_layouts/15/webdeleted.aspx"

This script gets you the details of the deleted site collection, such as who has deleted it, date, time, etc. Make sure you are running this script on all web front-end servers if you have more than one!

What if the site collection is deleted from Central Admin?

How about site collections deleted through SharePoint Central Administration site? Well, to search central admin, change the last two lines in the above PowerShell script.

#Call the function to search deleted sites from Central Admin
$CentralAdminURL =  Get-SPWebApplication -IncludeCentralAdministration | Where {$_.IsAdministrationWebApplication} | Select -ExpandProperty URL
Search-IISLogs $CentralAdminURL "/_admin/delsite.aspx"

Disclaimer

This is my personal blog. Articles written on this blog are from my experience for my own reference and to help others.

Do not reproduce my content anywhere, in any form without my permission. If any article written on this blog violates copyright, please contact me! If you have a more elegant solution on any of the topics discussed - please post a comment, I'll be happy to hear!

This site uses cookies to personalize content, advertisements, and to analyze traffic. More here: Privacy Policy

SharePoint Diary

Find out Who has Deleted a Site Collection in SharePoint

1 comment:

Social Profiles

About Me

Archive

Popular

Labels

Total Views

Disclaimer

SharePoint Video Tutors

Follow by Email

Blog Awards