The Magically Disappearing Sub-Site!
Working with a customer recently and a sub-site had magically disappeared in their SharePoint 2010 environment, it wasn't available to recover from the Site Collection recycle bin so they had to use their 3rd party backup tool to recover the sub-site, they really wanted to discover which user had deleted the sub-site as nobody was confessing! Two of the common ways that a user can delete a sub-site are via Site Actions>Site Settings>Delete this site or Site Actions>Manage Content and Structure (If the Publishing Feature is activated).
If the user deleted the site via Site Actions>Site Settings>Delete this site then the easiest way to identify who deleted the sub-site is to use Log Parser - https://www.microsoft.com/en-us/download/details.aspx?id=24659 (the old tools are the best!) to query the IIS logs for requests to /_layouts/webdeleted.aspx.
In this specific case, they couldn't identify the user using the Log Parser which suggested that the sub-site may have been deleted via other means, it turned out that Manage Content and Structure had been used to delete the sub-site, in which case it's simply a matter of checking the logs via Site Settings>Content and Structure Logs in the root web of the Site Collection. As you can see from the screenshot below, the sub-site /sites/site/subsite was deleted by User ID 9.
The one problem with the logs is that it reports the ID of the user within the Site Collection, which isn't much use on it's own. I put together a simple PowerShell function that takes a Site Collection and User ID as a parameter and returns the actual username.
Execute the following in PowerShell and then run the GetUserbyID function passing the Site Collection URL and User ID.
ASNP *SharePoint* -EA SilentlyContinue
Function GetUserbyID
{param($RootWebURL,$ID)
$RootWeb = Get-SPWeb $RootWebURL
$RootWeb.SiteUsers | Where {$_.ID -eq $ID}
}
In the example below, I identified the user as "CONTOSO\theculprit"
Brendan Griffin
Comments
- Anonymous
August 06, 2015
Hi Brendan,
Can you help me with the log parser query to look for the requests to /_layouts/webdeleted.aspx
your help is much appreciated
Thanks,
Vijay - Anonymous
August 07, 2015
@Vijay - here you go: LogParser.exe "SELECT * FROM D:Log.log Where cs-uri-stem like '%webdeleted.aspx%'"