Using powershell to list users accessing OWA

Sometimes it’s useful to identify how many users are using Outlook Web Access, particularly for capacity management. Just because an account has OWA enabled, doesn’t mean it’s being used.

The below PowerShell script will enumerate the IIS logs looking for OWA access, if found it’ll add the user account to a list of accounts accessing OWA.

$path = "C:\WINDOWS\system32\LogFiles\W3SVC1\ex*"

# Create new DataTable to hold log entries
$tblLog = New-Object System.Data.DataTable "Log"
$arrUsers = New-Object System.Collections.ArrayList($null)
$bFirstRun = $TRUE;

foreach ($file in Get-ChildItem $path)
	# Get the contents of the file, excluding the first three lines.
	$fileContents = Get-Content $file.FullName | where {$_ -notLike "#[D,S-V]*" }

	# Create DataTable columns. No handling for different columns in
	# each log file.
	if( $bFirstRun )
		$columns = (($fileContents[0].TrimEnd()) -replace "#Fields: ", "" -replace "-","" -replace "\(","" -replace "\)","").Split(" ")
		$colCount = $columns.Length

		# Create a DataColumn from the column string and add to our DataTable.
		foreach ($column in $columns)
			$colNew = New-Object System.Data.DataColumn $column, ([string])
			$tblLog.Columns.Add( $colNew )
		$bFirstRun = $FALSE;
		Write-Host "Columns complete"
	# Get the row contents from the file, filtering what I want to retrieve.
	$rows = $fileContents | where {$_ -like "*/owa/Default.aspx*"}

	# Loop through rows in the log file.
	foreach ($row in $rows)

		$rowContents = $row.Split(" ")
		$newRow = $tblLog.newrow()
		for($i=0;$i -lt $colCount; $i++)
			$columnName = $columns[$i]
			$newRow.$columnName = $rowContents[$i]
		$tblLog.Rows.Add( $newRow )
	Write-Host $file.Name "Done"
$tblLog | foreach {  if(! $arrUsers.Contains( $_.csusername ) ) { $arrUsers.Add( $_.csusername ) } }

Save to a file with the “.ps1” extension and run. You’ll then be presented with a list of users, for example:


You’ll need to alter the path to the IIS logs if you’ve stored them in a non-default location. To filter only logs for the current year, you can use a wildcard in the $path variable. For example “ex13*” for 2013 only.

Published by

Dave Hope

Dave works in IT for a leading UK based retirement developer, in his spare time he enjoys tinkering with technology and rock climbing.

19 thoughts on “Using powershell to list users accessing OWA”

  1. Should this work for Exchange 2007?
    I modified the path to match my 2007 CAS
    $path = “C:inetpublogsLogFilesW3SVC1u_ex*”
    It looks like it goes through the log files but it returns zero.
    [PS] C:>.owatest.ps1
    Columns complete
    u_ex130522.log Done
    u_ex130523.log Done
    u_ex130524.log Done
    u_ex130525.log Done
    u_ex130526.log Done
    u_ex130527.log Done
    u_ex130528.log Done
    [PS] C:>

    Thanks in advance

    1. It was written for use against 2007. Are your IIS logs really in that location? I presume they are if its seeing the files, but make sure it’s for the right website if there are more than one.

      Is OWA accessed under /OWA/….?

      Also, which windows version are you using?

      1. I only ran this against one log file and it doesn’t do anything once it finishes.

        Columns complete
        u_ex130709.log Done

  2. Hi Dave-

    I was wondering if you had any thoughts of a way to determine which users have only used OWA, but no other method such as Outlook or Mobile Device? Is there anyway in this existing script to note when the user last accessed via OWA?

    1. Hi Ken, That’s exactly what this script does. It filters for /owa/default.aspx – So you only see users who have actually logged into OWA.

      1. He wants to know who has used OWA only and no other client. A user can use both Outlook and OWA and this user would should up in the IIS logs as well.

    1. Hi David,

      You’d need to maintain a separate kvp in the script to maintain a mapping of usernames to datetime’s. Probably not too difficult to add it.

  3. hey ,

    in my case (win2k8 , exchange 2k10)

    it returns
    olumns complete
    u_ex140410.log Done
    u_ex140411.log Done
    u_ex140412.log Done
    u_ex140413.log Done
    u_ex140414.log Done
    u_ex140415.log Done
    u_ex140416.log Done
    u_ex140417.log Done


    no list of users? 🙁

    1. The script was written for Win2k3/EX2k7 so it’s possible the IIS log file is different on Win2k8/E2k10. I’ll take a look when I get chance to setup a lab.

  4. Hi,

    I run this on Windows Powershell 1.0, as administrator, having tweaked the path for c:\inetpub\logs\Logfiles\W3SVC1 … but when I run the script, it returns absolutely nothing – I’m just returned to the prompt. What am I doing wrong? I’m running Win Server 2008 I believe, 64 bit version. Exchange 2007. Any ideas?


  5. Same issue as Ash;

    [PS] C:\Users\dal\Desktop>.\owausers.ps1
    [PS] C:\Users\dal\Desktop>

    2k8r2 server and exchange 2007

  6. For above script to work on exchane 2013 you have to
    make small modification.

    Run ps script on CAS server. Change lines to this

    $path = “C:\inetpub\logs\LogFiles\W3SVC1\*ex*”

    $rows = $fileContents | where {$_ -like “*/owa/*”}

    Then you will have list of users.

    P.S Thank you for great script 🙂

    1. Since Exchange 2013 uses Https and not Mapi anymore, If I run this script in Exchange 2013 environment, will show records for Outlook clients too or just for users who are accessing through Ooutlok Web Access?

  7. I had the same issue as many others have commented on. The script is pointed at the log files, and it runs, but there are no users identified. If I open a log file, the Find does not find any examples of “owa/auth.owa”.

    Solution I found was due to my 2010 environment having a number of front end CAS (MS originally recommended separation of roles for 2010) that performed authentication for the OWA requests. Although the MBX server logs all showed extensive OWA activity, there were no users identified in any of them. All user identification data was found in the logs of the CAS servers that were doing the initial authentication.

    Seems obvious in hindsight, but at the time I did not understand why the mbx server logs clearly showed OWA requests but did not have any results for the script to identify the users accessing it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.