Share via

SharePoint: Get Audits for a Document using Powershell

  • Article

​Here's a very useful script that lets you specify the URL of a web, the name of a document library, and the full URL of a document and generate a list of all users who accessed the document, when they accessed it, and what they did with it (Read it, edit it, etc).

# Check to see if the SharePoint Snapin is already loaded, if not, load it in the current PowerShell session;

if((Get-PSSnapin -Name Microsodt.SharePoint.PowerShell -ErrorAction SilentlyContinue) -eq $null)

{

      ``Add-PsSnapin Microsoft.SharePoint.PowerShell

}

 

# Prompt the user to enter the URL of the web;

$webURL = Read-Host "URL of the web containing the document"

  

# Prompt the user for the name of the document library containing the document;

$docLibraryName = Read-Host "Name of the document library"

  

# Prompt the user to enter the URL to the document;

$docURL = Read-Host "URL of the document"

  

# Get a reference to the document in question;

$web = Get-SPWeb $webURL

$docLibrary = $web.Lists[$docLibraryName]

$document = $web.GetFile($docURL)

$web.Dispose()

 

# Get the audit entry for the library;

$audit = $docLibrary.Audit

$auditEntries = $audit.GetEntries()

 

foreach($entry in ($auditEntries | Select -unique))

{

      ``$userId = $entry.UserId

      ``$userEntry = $web.AllUsers | Where{$_.ID -eq $userId}

      ``$userName = $userEntry.UserLogin

      ``Write-Host $userName "--" $entry.Occurred "--" $entry.Event

}

For  example, assume you have a document that is top secret, and want to make sure nobody, with admin access can read its content (remember even if you properly set permissions on documents, they are always people with higher permissions who may not be allowed to access certain content.

In the following example, the above script was run against such a top secret document. Only the system administrator should be able to access it. However, by looking at the audit log generated by PowerShell, we can clearly see that a user, Bob Houle, accessed the document at 6h40 PM on April 5th 2014, and that he opened the document in read mode.

<screenshot missing> 

This assumes you had turned on the audit at the site colelction level by going in the site collection audit settings page and enabling all auditable actions.