Q. How can I see a list of all users who access Exchange via the Outlook Web Access (OWA)?

A. If you inspect the IIS web service logs you'll will see all the access logs, which include source IP address and username. This file is very cumbersome, however. A friend of mine, Tim McCarty, used the LOGPARSER tool with a little T-SQL script to take the data and reformat into a more digestible format. To make sure logs are enabled check, the Web Site tab of the default web site, as shown here.

Click to expand.

First, save the following as UsersofOWA.sql

Select

date as [Date],
time as [Time],
s-ip as [Server IP],
cs-username as [UserName],
c-ip as [Client-IP],
cs-method as [Request Verb],
cs-uri-stem as [Request URI]

FROM \\<UNC-PATH-TO-THE-LOGS\*.log 

WHERE cs-method LIKE 'GET' AND cs-uri-stem LIKE '/exchange'
AND cs-username LIKE'%'

(The FROM line could also be a local or mapped drive.)

Once you've saved this, you can parse the file using the command

LOGPARSER -i:IISW3C file:D:\Sources\logs
\UsersofOWA.sql -o:csv -q:off >D:\sources\logs
\OWALogins.csv

Once you have the CSV file, you can see information such as unique users using Microsoft Excel's remove duplicates functionality. You can also tune the above commands and formats to get the format you want.

Below is an example of the source log file format.

date time s-ip cs-method cs-uri-stem cs-username cs-uri-query
s-port c-ip cs(User-Agent) sc-status sc-substatus
sc-win32-status
5/31/2009 0:00:00 10.10.10.10 POST /exchweb/bin/auth/owaauth.dll
- - 443 <public-ip>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 302 0 0
5/31/2009 0:00:00 10.10.10.10 PROPFIND /exchange/username1/
username1 - 443 <public-ip>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 207 0 0
5/31/2009 0:00:00 10.10.10.10 PROPFIND /exchange/username1/
username1 - 443 <public-ip>
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) 207 0 0
5/31/2009 0:00:00 10.10.10.10 SEARCH /exchange/username1/Inbox
username1 - 443 <public-ip>
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) 207 0 0
5/31/2009 0:00:00 10.10.10.10 SEARCH /exchange/username1/Inbox
username1 - 443 <public-ip>
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) 207 0 0
5/31/2009 0:00:00 10.10.10.10 POLL /exchange/username2/Inbox
- - 443 <public-ip>
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;
+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 401 2 2148074254
5/31/2009 0:00:03 10.10.10.10 POST /Microsoft-Server-ActiveSync
domainname\username3 User=username3
&DeviceId=<device-id>.&DeviceType=iPhone&Cmd=Ping&Log=
V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C20I11176S161712R0S0L300H0P 
443 <public-ip> Apple-iPhone/508.11 200 0 0
5/31/2009 0:00:04 10.10.10.10 POST /Microsoft-Server-ActiveSync
domainname\username5 User=username5
&DeviceId=<device-id>&DeviceType=SmartPhone&Cmd=Ping&Log=
V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C17I8718S68530R0S0L1680H0P 443
 <public-ip> MSFT-SPhone/5.2.402 200 0 0
5/31/2009 0:00:04 10.10.10.10 POLL /exchange/username6/Inbox
 - - 443 <public-ip> 
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+
.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 401 2 2148074254
5/31/2009 0:00:04 10.10.10.10 POST /Microsoft-Server-ActiveSync
 domainname\username7 User=username7
&DeviceId=<device-id>&DeviceType=iPhone&Cmd=Sync&Log=
V4TCoSSC:0A0C0D0FS:0A0C0D0SP:1C3I5426S49100R0S0L0H0P 443 
<public-ip> Apple-iPhone/508.11 200 0 0
5/31/2009 0:00:06 10.10.10.10 GET /exchange/username8/
username8@domainname.com cmd=spellcheck 443 <public-ip> 
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+
.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 200 0 0
5/31/2009 0:00:06 10.10.10.10 GET /exchweb/6.5.7651.60/
controls/style30.css - - 443 <public-ip> 
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+
.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 200 0 0
5/31/2009 0:00:06 10.10.10.10 GET /exchweb/themes/0/
owacolors.css - - 443 <public-ip> 
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+
.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 200 0 0
5/31/2009 0:00:06 10.10.10.10 POST /Microsoft-Server-ActiveSync
domainname\username9 User=username9
&DeviceId=<device-id>&DeviceType=SmartPhone&Cmd=Sync&Log=
V4TEmSSC:0A0C0D0FS:0A0C0D3SP:1C4I16442S35772R0S0L0H0P 
443 <public-ip> MSFT-SPhone/5.2.402 200 0 0
5/31/2009 0:00:06 10.10.10.10 GET /exchange/username8/
username8@domainname.com cmd=script&template=
loc_spellcheck&cache=1&ver=6.5.7651.60 443 <public-ip> 
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+
.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 200 0 0
5/31/2009 1:00:06 10.10.10.11 GET /exchange
username10@domainname.com - 443 <client-ip> 
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;
+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+
.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 302 0 0

The CSV output is shown here.

Click to expand.

• How can I easily install the Windows Server 2008 roles and features that Exchange Server 2007 requires?
• When I try to perform a mailbox move, why do I get errors with accounts that have whitespace in the Name or DisplayName?
• What Mail Server Are You Using?
• Who Says You Need Microsoft Exchange Server?

• Exchange 2007 High Availability
• Creating Policies with Microsoft Exchange MRM
• Using Windows SideShow on a Mobile Device

• Exchange 2007 and High Availability w/Paul Robichaux