Find out Who has Deleted a Site Collection in SharePoint

Requirement: Find out who has deleted a site collection in SharePoint 2016.
find who deleted a sharepoint site

How to Find Who Deleted a SharePoint Site?
Unfortunately, there are no direct ways to find out who deleted a SharePoint site. The PowerShell cmdlet "Get-SPDeletedSite" gets you all deleted site collections, without any hint about the user who deleted the site. So, How to find who deleted a SharePoint site? The only available way is: scan IIS Logs in SharePoint web front end servers for the specific URL "/_layouts/15/webdeleted.aspx" that gets called when a user deletes the site from the site settings page.

PowerShell to find out who deleted a SharePoint site:
Scan through each log file could be cumbersome. But PowerShell can help! This PowerShell script scans through all IIS log files of the given web application in the past 30 days. Just set the parameter $WebAppURL at the end of the script and execute it.
#Import necessary Modules
Import-Module WebAdministration
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Function to get Log Folder of the SharePoint Web Application
Function Get-IISLogFolder($WebAppURL)
{
    #Get Web Applications' IIS Settings
    $WebApp = Get-SPWebApplication $WebAppURL
    $IISSettings = $WebApp.IISSettings[[Microsoft.SharePoint.Administration.SPUrlZone]::Default]
    $WebSiteName = $IISSettings.ServerComment

    #Get Log Folder from Web Site
    $WebSite = Get-Website -Name $WebSiteName
    $LogLocation = "$($WebSite.LogFile.Directory)\w3svc$($WebSite.id)".Replace("%SystemDrive%",$Env:SystemDrive)
    Return $LogLocation
}

#Function to Parse IIS Log
Function Parse-IISLog {

 [CmdletBinding()]
    [OutputType([System.Data.DataTable])]
 param(
  [Parameter(Mandatory=$True, ValueFromPipeline=$True)][string[]]$LogFilePath
        )
 BEGIN {
        $LogDataTable = New-Object System.Data.DataTable
        $FieldsString = Get-Content -Path $LogFilePath | Select -First 5 | Where {$_ -Like "#[F]*"}
        $Fields = $FieldsString.substring(9).split(' ')
        $FieldsCount = $Fields.count - 1
    }
 PROCESS {
        for($i=0;$i -lt $FieldsCount;$i++) {
            $LogDataTable.Columns.Add($Fields[$i]) | Out-Null   
        }
        $Content = Get-Content -Path $LogFilePath | Where {$_ -notLike "#[D,S,V,F]*" } | ForEach-Object {
            $Row = $LogDataTable.NewRow()
            for($i=0;$i -lt $FieldsCount;$i++) {
                $Row[$i] = $_.Split(' ')[$i]
            }
            $LogDataTable.Rows.Add($row)
        }
    }
    END {
        $PSCmdlet.WriteObject($LogDataTable)
    }
}

#Function to search IIS Logs for a given URL in given web application
Function Search-IISLogs($WebAppURL, [String]$SearchURL)
{
    #Get IIS Log Folder
    $IISLogFolder = Get-IISLogFolder $WebAppURL

    #Get IIS Log files created in the past 30 days
    $IISLogFiles = Get-ChildItem -Path $IISLogFolder -Recurse | Where {$_.CreationTime  -Gt (Get-Date).AddDays(-30)}

    ForEach($LogFile in $IISLogFiles)
    {
        Write-host "Processing Log File:"$LogFile.FullName -f Yellow
        $IISLogData = Parse-IISLog $LogFile.FullName

        #Search Data
        $SearchResults = New-Object System.Data.DataView($IISLogData)
        $SearchResults.RowFilter = "[cs-uri-stem] like '%$SearchURL%'"

        #Result
        If ($SearchResults.Count -gt 0) 
        {
            Write-Host "`tFound Site Deletion!" -ForegroundColor Green
            $SearchResults | Select date, time, cs-uri-stem, cs-username, "cs(Referer)" | Format-Table
        } 
        Else 
        {
            Write-Host "`tNo Site Deletions Found!" -ForegroundColor DarkYellow
        }
    }
}

#Parameters
$WebAppURL="http://intranet.crescent.com"

#Call the function to search site deletions
Search-IISLogs $WebAppURL "/_layouts/15/webdeleted.aspx"
This script gets you the details of the deleted site collection, such as who has deleted it, date, time, etc. Make sure you are running this script on all web front-end servers if you have more than one!

What if the site collection is deleted from Central Admin?
How about site collections deleted through SharePoint Central Administration site? Well, to search central admin, change the last two lines in the above PowerShell script.
#Call the function to search deleted sites from Central Admin
$CentralAdminURL =  Get-SPWebApplication -IncludeCentralAdministration | Where {$_.IsAdministrationWebApplication} | Select -ExpandProperty URL
Search-IISLogs $CentralAdminURL "/_admin/delsite.aspx"

1 comment:

  1. Ravi BhadravathiMay 30, 2020 at 12:00 PM

    Another great script! Thanks for this. Have a question though.. Is there any way I can detect PowerShell or programmatic deletions as well.

    TIA

    ReplyDelete

Please Login and comment to get your questions answered!

Powered by Blogger.