Q. How can I see a list of all users who access Exchange via the Outlook Web Access (OWA)?

A. If you inspect the IIS web service logs you'll will see all the access logs, which include source IP address and username. This file is very cumbersome, however. A friend of mine, Tim McCarty, used the LOGPARSER tool with a little T-SQL script to take the data and reformat into a more digestible format. To make sure logs are enabled check, the Web Site tab of the default web site, as shown here.

Click to expand.

First, save the following as UsersofOWA.sql

Select

date as \[Date\],
time as \[Time\],
s-ip as \[Server IP\],
cs-username as \[UserName\],
c-ip as \[Client-IP\],
cs-method as \[Request Verb\],
cs-uri-stem as \[Request URI\]

FROM \\














(The FROM line could also be a local or mapped drive.)

Once you've saved this, you can parse the file using the command

LOGPARSER -i:IISW3C file:D:\Sources\logs
\UsersofOWA.sql -o:csv -q:off >D:\sources\logs
\OWALogins.csv

Once you have the CSV file, you can see information such as unique users using Microsoft Excel's remove duplicates functionality. You can also tune the above commands and formats to get the format you want.

Below is an example of the source log file format.

date time s-ip cs-method cs-uri-stem cs-username cs-uri-query
s-port c-ip cs(User-Agent) sc-status sc-substatus
sc-win32-status
5/31/2009 0:00:00 10.10.10.10 POST /exchweb/bin/auth/owaauth.dll
- - 443 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 302 0 0
5/31/2009 0:00:00 10.10.10.10 PROPFIND /exchange/username1/
username1 - 443 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 207 0 0
5/31/2009 0:00:00 10.10.10.10 PROPFIND /exchange/username1/
username1 - 443 
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) 207 0 0
5/31/2009 0:00:00 10.10.10.10 SEARCH /exchange/username1/Inbox
username1 - 443 
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) 207 0 0
5/31/2009 0:00:00 10.10.10.10 SEARCH /exchange/username1/Inbox
username1 - 443 
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) 207 0 0
5/31/2009 0:00:00 10.10.10.10 POLL /exchange/username2/Inbox
- - 443 
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;
+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 401 2 2148074254
5/31/2009 0:00:03 10.10.10.10 POST /Microsoft-Server-ActiveSync
domainname\username3 User=username3
&DeviceId=.&DeviceType=iPhone&Cmd=Ping&Log=
V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C20I11176S161712R0S0L300H0P 
443  Apple-iPhone/508.11 200 0 0
5/31/2009 0:00:04 10.10.10.10 POST /Microsoft-Server-ActiveSync
domainname\username5 User=username5
&DeviceId=&DeviceType=SmartPhone&Cmd=Ping&Log=
V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C17I8718S68530R0S0L1680H0P 443
  MSFT-SPhone/5.2.402 200 0 0
5/31/2009 0:00:04 10.10.10.10 POLL /exchange/username6/Inbox
 - - 443  
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+
.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 401 2 2148074254
5/31/2009 0:00:04 10.10.10.10 POST /Microsoft-Server-ActiveSync
 domainname\username7 User=username7
&DeviceId=&DeviceType=iPhone&Cmd=Sync&Log=
V4TCoSSC:0A0C0D0FS:0A0C0D0SP:1C3I5426S49100R0S0L0H0P 443 
 Apple-iPhone/508.11 200 0 0
5/31/2009 0:00:06 10.10.10.10 GET /exchange/username8/
[email protected] cmd=spellcheck 443  
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+
.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 200 0 0
5/31/2009 0:00:06 10.10.10.10 GET /exchweb/6.5.7651.60/
controls/style30.css - - 443  
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+
.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 200 0 0
5/31/2009 0:00:06 10.10.10.10 GET /exchweb/themes/0/
owacolors.css - - 443  
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+
.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 200 0 0
5/31/2009 0:00:06 10.10.10.10 POST /Microsoft-Server-ActiveSync
domainname\username9 User=username9
&DeviceId=&DeviceType=SmartPhone&Cmd=Sync&Log=
V4TEmSSC:0A0C0D0FS:0A0C0D3SP:1C4I16442S35772R0S0L0H0P 
443  MSFT-SPhone/5.2.402 200 0 0
5/31/2009 0:00:06 10.10.10.10 GET /exchange/username8/
[email protected] cmd=script&template=
loc_spellcheck&cache=1&ver=6.5.7651.60 443  
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+
.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 200 0 0
5/31/2009 1:00:06 10.10.10.11 GET /exchange
[email protected] - 443  
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+
.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 302 0 0

The CSV output is shown here.

Click to expand.

Related Reading:

Videos:

Audio:


Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish