Recover Deleted Site Collection in SharePoint

By:   |   Comments (4)   |   Related: > SharePoint


Problem

In our large multi-server SharePoint 2013 farm that has large databases, a user that had site collection administrative privileges deleted a site collection. The team doesn’t know when and how it was deleted, but they first need to restore the site and then figure out which user deleted it.

Solution

This site collection was deleted accidently with the GUI and a delete can only be executed by someone who has SharePoint site collection administrator privileges. Here are a few reasons this could have happened:

  1. A site collection administrator mistakenly deletes the wrong site collection (which was requested by a user or a user group).
  2. It can be mistakenly deleted by a fairly new site collection administrator who doesn’t have much experience with SharePoint.
  3. It can also happen due to bad SharePoint governance where every user has too much access to a SharePoint site collection.

The solution will be in two parts for this issue:

  • First, you need to restore the deleted site collection. There are many methods to restore a site collection for different situations, but here we will use a scenario where a site collection administrator deleted a site collection using the web interface.
  • Second, we will trace the user who deleted this site collection. It can be done by digging into different logs related to SharePoint.

Restore Site Collection

You can find a list of deleted sites using the following PowerShell command on your server.

The result will show the deleted site collection details.

Get-SPDeletedSite

Following is an example. The result shows the URL and date and time of deletion, but we need to use the SiteId with a valid GUID in order to restore.

Deleted Site Collection

Copy the SiteId and use the following PowerShell to restore it. (Enter the SiteId value for "Site ID" below.)

Restore-SPDeletedSite  identity “Site ID”

It will be restore on same web application and content database.

Trace User Who Deleted Site

Open the IIS log file on the server. You might find out that the site collection was deleted few days ago, so you want to open a log file closer to the Deletion time (you can get the deletion time information by running Get-SPDeletedSite as we did above).

Search for /_layouts/15/deleteweb.aspx in the IIS log file. You will find something like below:

IIS Logs

Before, when you ran Get-SPDeletedSite, the site collection Deletion Time was 11/9/2017 10:49:40 PM. We want to look for information around that time only. In the above IIS log file image, you can see the site collection was deleted around that time and instead of USERNAME, you will see the real user ID. Also, it will show you a 401 error.

Another option is to use the information in Unified Logging Service (ULS) logs by using the following PowerShell command. Since we have an idea of the deletion time, I am using a start and end time to the merge the logs for a specific time range. 

Merge-SPLogFile -Path "d:\temp\logs.txt" -StartTime "11/9/2017 22:47" -EndTime "11/9/2017 22:51"

Then we can look for /_layouts/15/deleteweb.aspx in the merged ULS log file and you should find something like the following which is similar to what we see above.  Here we can see date and time of the site collection deletion and also the user name (again I masked the actual user name with USERNAME).

ULS Logs
Next Steps
  • Take a look at TechNet topics Get-SPDeletedSite and Restore-SPDeletedSite
  • Review TechNet article Restore a deleted site in SharePoint 2013
  • If a site collection is not found in the recycling bin and has been deleted from there, restore the site collection from a backup content database.
  • There is no direct out of the box method to prevent site collection deletion (with site collection administrative privilege). This will need to be coded. The best recommendation is to use good SharePoint governance where roles are specified in the correct manner.
  • Sometimes a site collection gets deleted and no one knows until a user finds out. You cannot set up an email notification until you write some kind of code. My recommendation is to create a PowerShell script to list all site collections under a web app and run it every night through Windows task scheduler. You can modify the script as per your needs and the data will be reported every morning or as required.


sql server categories

sql server webinars

subscribe to mssqltips

sql server tutorials

sql server white papers

next tip



About the author
MSSQLTips author Deepak Kumeri Deepak Kumeri is a senior SharePoint Administrator and with experience in MOSS 2007, SharePoint 2010, 2013, 2016 and SharePoint online.

This author pledges the content of this article is based on professional experience and not AI generated.

View all my tips


Comments For This Article




Wednesday, May 16, 2018 - 9:48:57 AM - Deepak Kumeri Back To Top (75954)

Hi, Please try following and also can you please send me litlle more descriptive logs. 

https://social.msdn.microsoft.com/Forums/Lync/en-US/516a9363-b594-4463-b207-1de6b86d5bd3/error-running-sharepoint-2013-workflows-invalidrequestexception?forum=wflmgr 

 

 

 

Friday, April 20, 2018 - 9:37:38 AM - Andre Back To Top (75740)

Hello, I deleted a site collection and restored it using the method describe in this page but after a few days I realized that the workflows are no longer working. IFrist I was not able to publish or run workflow and in the ULS I found error saying that the scope was not activated. I fixed this so I'm now able to publish my workflow but they are still not running and I got an error in ULS saying the "the scope /sharepoint/default/..... has no workflow under it".

Any idea what is wrong? 

Thanks 

Thursday, March 15, 2018 - 11:52:26 AM - Biruk Back To Top (75432)

Thank you. I am sharing this with my team. 

 

Thursday, March 15, 2018 - 10:44:12 AM - Kartikeya Virmani Back To Top (75430)

 I would like to try this. 

 














get free sql tips
agree to terms