In our large multi-server SharePoint 2013 farm that has large databases, a user that had site collection administrative privileges deleted a site collection. The team doesn’t know when and how it was deleted, but they first need to restore the site and then figure out which user deleted it.
This site collection was deleted accidently with the GUI and a delete can only be executed by someone who has SharePoint site collection administrator privileges. Here are a few reasons this could have happened:
- A site collection administrator mistakenly deletes the wrong site collection (which was requested by a user or a user group).
- It can be mistakenly deleted by a fairly new site collection administrator who doesn’t have much experience with SharePoint.
- It can also happen due to bad SharePoint governance where every user has too much access to a SharePoint site collection.
The solution will be in two parts for this issue:
- First, you need to restore the deleted site collection. There are many methods to restore a site collection for different situations, but here we will use a scenario where a site collection administrator deleted a site collection using the web interface.
- Second, we will trace the user who deleted this site collection. It can be done by digging into different logs related to SharePoint.
Restore Site Collection
You can find a list of deleted sites using the following PowerShell command on your server.
The result will show the deleted site collection details.
Following is an example. The result shows the URL and date and time of deletion, but we need to use the SiteId with a valid GUID in order to restore.
Copy the SiteId and use the following PowerShell to restore it. (Enter the SiteId value for "Site ID" below.)
Restore-SPDeletedSite – identity “Site ID”
It will be restore on same web application and content database.
Trace User Who Deleted Site
Open the IIS log file on the server. You might find out that the site collection was deleted few days ago, so you want to open a log file closer to the Deletion time (you can get the deletion time information by running Get-SPDeletedSite as we did above).
Search for /_layouts/15/deleteweb.aspx in the IIS log file. You will find something like below:
Before, when you ran Get-SPDeletedSite, the site collection Deletion Time was 11/9/2017 10:49:40 PM. We want to look for information around that time only. In the above IIS log file image, you can see the site collection was deleted around that time and instead of USERNAME, you will see the real user ID. Also, it will show you a 401 error.
Another option is to use the information in Unified Logging Service (ULS) logs by using the following PowerShell command. Since we have an idea of the deletion time, I am using a start and end time to the merge the logs for a specific time range.
Merge-SPLogFile -Path "d:\temp\logs.txt" -StartTime "11/9/2017 22:47" -EndTime "11/9/2017 22:51"
Then we can look for /_layouts/15/deleteweb.aspx in the merged ULS log file and you should find something like the following which is similar to what we see above. Here we can see date and time of the site collection deletion and also the user name (again I masked the actual user name with USERNAME).
- Take a look at TechNet topics Get-SPDeletedSite and Restore-SPDeletedSite
- Review TechNet article Restore a deleted site in SharePoint 2013
- If a site collection is not found in the recycling bin and has been deleted from there, restore the site collection from a backup content database.
- There is no direct out of the box method to prevent site collection deletion (with site collection administrative privilege). This will need to be coded. The best recommendation is to use good SharePoint governance where roles are specified in the correct manner.
- Sometimes a site collection gets deleted and no one knows until a user finds out. You cannot set up an email notification until you write some kind of code. My recommendation is to create a PowerShell script to list all site collections under a web app and run it every night through Windows task scheduler. You can modify the script as per your needs and the data will be reported every morning or as required.
Last Update: 2018-02-02
About the author
View all my tips