Translating Site ID and PrincipleID
I produced a Audit report for Security events and though I can see that some security events occurred on the relevant dates I couldn't find a way to translate the Site ID and the Principle ID in the Site ID and Event Data columns.
It can be done! Enter PowerShell!!!!
Audit Log exported to Excel and downloaded: It just looks horrible
Translate the siteID:
$site = get-spsite -limit all
$site | select ID, url | ft -AutoSize | out-file C:\Scripts\siteID.txt
Then I did a find in the .txt file to match the site ID with the URL
Translate the PrincipleID:
$site = new-object Microsoft.SharePoint.SPSite("http://SPWebApplication");
$ServiceContext = [Microsoft.SharePoint.SPServiceContext]::GetContext($site);
$ProfileManager = new-object Microsoft.Office.Server.UserProfiles.UserProfileManager($ServiceContext)
$AllProfiles = $ProfileManager.GetEnumerator()
$AllProfiles | select displayname,recordID | ft -autosize | out-file c:\scripts\profiles.txt
Then do a Find on the Principle ID and you will get the Display name mapping:
Translating groupid and userid
Pasted from <http://sharepoint.stackexchange.com/questions/156443/who-is-behind-which-id-in-audit-logs>
I’ve run a custom security report and the results show 5 permissions edits:
The Event Data column shows the user affected in group\user format
This shows you either the user's information or the group's members depending on the entered id
Note: The ids are unique within site collections only. So ...?id=42 within site collection A might be a different user or group in site collection B.
That's all folks - Thanks for visiting!