Sometimes it’s useful to identify how many users are using Outlook Web Access, just because an account has OWA enabled, doesn’t mean it’s being used.

The below PowerShell script will enumerate the IIS logs looking for OWA access, if found it’ll add the user account to a list of accounts accessing OWA.

$path = "C:\WINDOWS\system32\LogFiles\W3SVC1\ex*"

# Create new DataTable to hold log entries
$tblLog = New-Object System.Data.DataTable "Log"
$arrUsers = New-Object System.Collections.ArrayList($null)
$bFirstRun = $TRUE;

foreach ($file in Get-ChildItem $path)
{
	# Get the contents of the file, excluding the first three lines.
	$fileContents = Get-Content $file.FullName | where {$_ -notLike "#[D,S-V]*" }

	# Create DataTable columns. No handling for different columns in
	# each log file.
	if( $bFirstRun )
	{
		$columns = (($fileContents[0].TrimEnd()) -replace "#Fields: ", "" -replace "-","" -replace "\(","" -replace "\)","").Split(" ")
		$colCount = $columns.Length

		# Create a DataColumn from the column string and add to our DataTable.
		foreach ($column in $columns)
		{
			$colNew = New-Object System.Data.DataColumn $column, ([string])
			$tblLog.Columns.Add( $colNew )
		}
		$bFirstRun = $FALSE;
		Write-Host "Columns complete"
	}
	
	# Get the row contents from the file, filtering what I want to retrieve.
	$rows = $fileContents | where {$_ -like "*/owa/Default.aspx*"}

	# Loop through rows in the log file.
	foreach ($row in $rows)
	{
		if(!$row)
		{
			continue
		}

		$rowContents = $row.Split(" ")
		$newRow = $tblLog.newrow()
		for($i=0;$i -lt $colCount; $i++)
		{
			$columnName = $columns[$i]
			$newRow.$columnName = $rowContents[$i]
		}
		$tblLog.Rows.Add( $newRow )
	}
	Write-Host $file.Name "Done"
}
$tblLog | foreach {  if(! $arrUsers.Contains( $_.csusername ) ) { $arrUsers.Add( $_.csusername ) } }
$arrUsers

Save to a file with the “.ps1” extension and run. You’ll then be presented with a list of users, for example:

  • NWTRADERS\Administrator
  • NWTRADERS\Steve
  • NWTRADERS\Dave
  • NWTRADERS\James
  • NWTRADERS\Albert

You’ll need to alter the path to the IIS logs if you’ve stored them in a non-default location. To filter only logs for the current year, you can use a wildcard in the $path variable. For example ex13* for 2013 only.