Tuesday, 14 February 2017

Translating SharePoint Audit log reports:

Translating Site ID and PrincipleID

I produced a Audit report for Security events and though I can see that some security events occurred on the relevant dates I couldn't find a way to translate the Site ID and the Principle ID in the Site ID and Event Data columns. 

It can be done! Enter PowerShell!!!!


Audit Log exported to Excel and downloaded: It just looks horrible



Translate the siteID:

$site = get-spsite -limit all
$site | select ID, url | ft -AutoSize | out-file C:\Scripts\siteID.txt

Then I did a find in the .txt file to match the site ID with the URL

e.g.



Translate the PrincipleID:
  
$site = new-object Microsoft.SharePoint.SPSite("http://SPWebApplication");  
$ServiceContext = [Microsoft.SharePoint.SPServiceContext]::GetContext($site);  
$ProfileManager = new-object Microsoft.Office.Server.UserProfiles.UserProfileManager($ServiceContext)    
$AllProfiles = $ProfileManager.GetEnumerator() 

$AllProfiles | select displayname,recordID | ft -autosize | out-file c:\scripts\profiles.txt

Then do a Find on the Principle ID and you will get the Display name mapping:




Translating groupid and userid

/_layouts/userdisp.aspx?id=


E.G

I’ve run a custom security report and the results show 5 permissions edits:


The Event Data column shows the user affected in group\user format











To find:

/_layouts/userdisp.aspx?id=218

/_layouts/userdisp.aspx?id=283

/_layouts/userdisp.aspx?id=8

Etc

This shows you either the user's information or the group's members depending on the entered id 

So: 
/_layouts/userdisp.aspx?id=218 - shows a user id
/_layouts/userdisp.aspx?id=8 - shows group membership


Note: The ids are unique within site collections only. So ...?id=42 within site collection A might be a different user or group in site collection B.


That's all folks - Thanks for visiting!

No comments:

Post a Comment