Find out Who has Deleted a Site Collection in SharePoint

Requirement: Find out who has deleted a site collection in SharePoint 2016 server.

find who deleted a sharepoint site

SharePoint Site Collection deletion is a serious matter as it can lead to data loss and business disruption. In some cases, it can happen accidentally by a user with permission or maliciously by a user with access to SharePoint. In this guide, we will show you how to find out who has deleted a Site Collection in SharePoint. We will cover the steps to check the SharePoint IIS logs, and also how to use PowerShell to retrieve the information.

How to Find Who Deleted a SharePoint Site?

Unfortunately, there are no direct ways to find out who deleted a SharePoint site. The PowerShell cmdlet “Get-SPDeletedSite” gets you all deleted site collections without any hint about the user who deleted the site. So, How do you find who deleted a SharePoint site? The only available way is to scan IIS Logs in SharePoint web front end servers for the specific URL “/_layouts/15/webdeleted.aspx” that gets called when a user deletes the site from the site settings page.

PowerShell to find out who deleted a SharePoint site:

Scanning through each log file could be cumbersome. But PowerShell can help! This PowerShell script scans through all IIS log files of the given web application in the past 30 days. Set the parameter $WebAppURL at the end of the script and execute it.

#Import necessary Modules
Import-Module WebAdministration
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Function to get Log Folder of the SharePoint Web Application
Function Get-IISLogFolder($WebAppURL)
{
    #Get Web Applications' IIS Settings
    $WebApp = Get-SPWebApplication $WebAppURL
    $IISSettings = $WebApp.IISSettings[[Microsoft.SharePoint.Administration.SPUrlZone]::Default]
    $WebSiteName = $IISSettings.ServerComment

    #Get Log Folder from Web Site
    $WebSite = Get-Website -Name $WebSiteName
    $LogLocation = "$($WebSite.LogFile.Directory)\w3svc$($WebSite.id)".Replace("%SystemDrive%",$Env:SystemDrive)
    Return $LogLocation
}

#Function to Parse IIS Log
Function Parse-IISLog {

 [CmdletBinding()]
    [OutputType([System.Data.DataTable])]
 param(
  [Parameter(Mandatory=$True, ValueFromPipeline=$True)][string[]]$LogFilePath
        )
 BEGIN {
        $LogDataTable = New-Object System.Data.DataTable
        $FieldsString = Get-Content -Path $LogFilePath | Select -First 5 | Where {$_ -Like "#[F]*"}
        $Fields = $FieldsString.substring(9).split(' ');
        $FieldsCount = $Fields.count - 1
    }
 PROCESS {
        for($i=0;$i -lt $FieldsCount;$i++) {
            $LogDataTable.Columns.Add($Fields[$i]) | Out-Null   
        }
        $Content = Get-Content -Path $LogFilePath | Where {$_ -notLike "#[D,S,V,F]*" } | ForEach-Object {
            $Row = $LogDataTable.NewRow()
            for($i=0;$i -lt $FieldsCount;$i++) {
                $Row[$i] = $_.Split(' ')[$i]
            }
            $LogDataTable.Rows.Add($row)
        }
    }
    END {
        $PSCmdlet.WriteObject($LogDataTable)
    }
}

#Function to search IIS Logs for a given URL in given web application
Function Search-IISLogs($WebAppURL, [String]$SearchURL)
{
    #Get IIS Log Folder
    $IISLogFolder = Get-IISLogFolder $WebAppURL

    #Get IIS Log files created in the past 30 days
    $IISLogFiles = Get-ChildItem -Path $IISLogFolder -Recurse | Where {$_.CreationTime  -Gt (Get-Date).AddDays(-30)}

    ForEach($LogFile in $IISLogFiles)
    {
        Write-host "Processing Log File:"$LogFile.FullName -f Yellow
        $IISLogData = Parse-IISLog $LogFile.FullName

        #Search Data
        $SearchResults = New-Object System.Data.DataView($IISLogData)
        $SearchResults.RowFilter = "[cs-uri-stem] like '%$SearchURL%'"

        #Result
        If ($SearchResults.Count -gt 0) 
        {
            Write-Host "`tFound Site Deletion!" -ForegroundColor Green
            $SearchResults | Select date, time, cs-uri-stem, cs-username, "cs(Referer)" | Format-Table
        } 
        Else 
        {
            Write-Host "`tNo Site Deletions Found!" -ForegroundColor DarkYellow
        }
    }
}

#Parameters
$WebAppURL="https://intranet.crescent.com"

#Call the function to search site deletions
Search-IISLogs $WebAppURL "/_layouts/15/webdeleted.aspx"

This script gets you the details of the deleted site collection, such as who has deleted it, date, time, etc. Make sure you are running this script on all web front-end servers if you have more than one!

What if the site collection is deleted from Central Admin?

How about site collections deleted through the SharePoint Central Administration site? Well, to search central admin, change the last two lines in the above PowerShell script.

#Call the function to search deleted sites from Central Admin
$CentralAdminURL =  Get-SPWebApplication -IncludeCentralAdministration | Where {$_.IsAdministrationWebApplication} | Select -ExpandProperty URL
Search-IISLogs $CentralAdminURL "/_admin/delsite.aspx"

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

One thought on “Find out Who has Deleted a Site Collection in SharePoint

  • Another great script! Thanks for this. Have a question though.. Is there any way I can detect PowerShell or programmatic deletions as well.

    TIA

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *