Tuesday, 14 February 2017

Translating SharePoint Audit log reports:

Translating Site ID and PrincipleID

I produced a Audit report for Security events and though I can see that some security events occurred on the relevant dates I couldn't find a way to translate the Site ID and the Principle ID in the Site ID and Event Data columns. 

It can be done! Enter PowerShell!!!!

Audit Log exported to Excel and downloaded: It just looks horrible

Translate the siteID:

$site = get-spsite -limit all
$site | select ID, url | ft -AutoSize | out-file C:\Scripts\siteID.txt

Then I did a find in the .txt file to match the site ID with the URL


Translate the PrincipleID:
$site = new-object Microsoft.SharePoint.SPSite("http://SPWebApplication");  
$ServiceContext = [Microsoft.SharePoint.SPServiceContext]::GetContext($site);  
$ProfileManager = new-object Microsoft.Office.Server.UserProfiles.UserProfileManager($ServiceContext)    
$AllProfiles = $ProfileManager.GetEnumerator() 

$AllProfiles | select displayname,recordID | ft -autosize | out-file c:\scripts\profiles.txt

Then do a Find on the Principle ID and you will get the Display name mapping:

Translating groupid and userid



I’ve run a custom security report and the results show 5 permissions edits:

The Event Data column shows the user affected in group\user format

To find:





This shows you either the user's information or the group's members depending on the entered id 

/_layouts/userdisp.aspx?id=218 - shows a user id
/_layouts/userdisp.aspx?id=8 - shows group membership

Note: The ids are unique within site collections only. So ...?id=42 within site collection A might be a different user or group in site collection B.

That's all folks - Thanks for visiting!

No comments:

Post a Comment

SharePoint Information Architecture Diagram

Here is the template I use for Information Architecture designs. It's built using Mindjet and I flesh the nodes out with the low level d...