Q. How can I see a list of all users who access Exchange via the Outlook Web Access (OWA)?
John Savill
June 22, 2009
2 Min Read
A. If you inspect the IIS web service logs you'll will see all the access logs, which include source IP address and username. This file is very cumbersome, however. A friend of mine, Tim McCarty, used the LOGPARSER tool with a little T-SQL script to take the data and reformat into a more digestible format. To make sure logs are enabled check, the Web Site tab of the default web site, as shown here.
Click to expand. |
First, save the following as UsersofOWA.sql
Selectdate as [Date],time as [Time],s-ip as [Server IP],cs-username as [UserName],c-ip as [Client-IP],cs-method as [Request Verb],cs-uri-stem as [Request URI]FROM \(The FROM line could also be a local or mapped drive.)Once you've saved this, you can parse the file using the commandLOGPARSER -i:IISW3C file:D:SourceslogsUsersofOWA.sql -o:csv -q:off >D:sourceslogsOWALogins.csvOnce you have the CSV file, you can see information such as unique users using Microsoft Excel's remove duplicates functionality. You can also tune the above commands and formats to get the format you want.Below is an example of the source log file format.date time s-ip cs-method cs-uri-stem cs-username cs-uri-querys-port c-ip cs(User-Agent) sc-status sc-substatussc-win32-status5/31/2009 0:00:00 10.10.10.10 POST /exchweb/bin/auth/owaauth.dll- - 443 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 302 0 05/31/2009 0:00:00 10.10.10.10 PROPFIND /exchange/username1/username1 - 443 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 207 0 05/31/2009 0:00:00 10.10.10.10 PROPFIND /exchange/username1/username1 - 443 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) 207 0 05/31/2009 0:00:00 10.10.10.10 SEARCH /exchange/username1/Inboxusername1 - 443 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) 207 0 05/31/2009 0:00:00 10.10.10.10 SEARCH /exchange/username1/Inboxusername1 - 443 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) 207 0 05/31/2009 0:00:00 10.10.10.10 POLL /exchange/username2/Inbox- - 443 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 401 2 21480742545/31/2009 0:00:03 10.10.10.10 POST /Microsoft-Server-ActiveSyncdomainnameusername3 User=username3&DeviceId=.&DeviceType=iPhone&Cmd=Ping&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C20I11176S161712R0S0L300H0P 443 Apple-iPhone/508.11 200 0 05/31/2009 0:00:04 10.10.10.10 POST /Microsoft-Server-ActiveSyncdomainnameusername5 User=username5&DeviceId=&DeviceType=SmartPhone&Cmd=Ping&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C17I8718S68530R0S0L1680H0P 443 MSFT-SPhone/5.2.402 200 0 05/31/2009 0:00:04 10.10.10.10 POLL /exchange/username6/Inbox - - 443 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 401 2 21480742545/31/2009 0:00:04 10.10.10.10 POST /Microsoft-Server-ActiveSync domainnameusername7 User=username7&DeviceId=&DeviceType=iPhone&Cmd=Sync&Log=V4TCoSSC:0A0C0D0FS:0A0C0D0SP:1C3I5426S49100R0S0L0H0P 443 Apple-iPhone/508.11 200 0 05/31/2009 0:00:06 10.10.10.10 GET /exchange/username8/[email protected] cmd=spellcheck 443 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 200 0 05/31/2009 0:00:06 10.10.10.10 GET /exchweb/6.5.7651.60/controls/style30.css - - 443 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 200 0 05/31/2009 0:00:06 10.10.10.10 GET /exchweb/themes/0/owacolors.css - - 443 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 200 0 05/31/2009 0:00:06 10.10.10.10 POST /Microsoft-Server-ActiveSyncdomainnameusername9 User=username9&DeviceId=&DeviceType=SmartPhone&Cmd=Sync&Log=V4TEmSSC:0A0C0D0FS:0A0C0D3SP:1C4I16442S35772R0S0L0H0P 443 MSFT-SPhone/5.2.402 200 0 05/31/2009 0:00:06 10.10.10.10 GET /exchange/username8/[email protected] cmd=script&template=loc_spellcheck&cache=1&ver=6.5.7651.60 443 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 200 0 05/31/2009 1:00:06 10.10.10.11 GET /[email protected] - 443 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 302 0 0The CSV output is shown here.Click to expand.Related Reading: How can I easily install the Windows Server 2008 roles and features that Exchange Server 2007 requires?When I try to perform a mailbox move, why do I get errors with accounts that have whitespace in the Name or DisplayName?What Mail Server Are You Using?Who Says You Need Microsoft Exchange Server? Videos: Exchange 2007 High AvailabilityCreating Policies with Microsoft Exchange MRMUsing Windows SideShow on a Mobile Device Audio: Exchange 2007 and High Availability w/Paul Robichaux Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.
About the Author
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
You May Also Like