Use Powershell To Find Out Who’s Used Your Outlook Web App Recently

[ 1 ] Comment
Share

There was a post in the Technet Exchange Forum today from someone that wanted to find out which of their domain users had recently been using Outlook Web Access. This can be done quite easily in Powershell using the Select-String and Select-Object cmdlets. If you want to try it, type this into your powershell console:

Select-String “C:\Inetpub\logs\LogFiles\W3SVC1\u_ex1304*.log” -Pattern “/owa/forms/premium/startpage.aspx” | Select-Object {$_.ToString().Split(” “)[6]}

There are, of course, a few things to note about this:

Firstly, it assumes you want to look at the log files for April 2013. To check a different month, you’ll need to change that u_ex1304*.log to something else.

Secondly, it only checks users of the Premium GUI. I used the search pattern “/owa/forms/premium/startpage.aspx” to stop it returning ALL requests for owa resource files (there would otherwise be hundreds of them), and that file is only used by the Premium GUI.

Thirldy, it may be more helpful to direct the output to a text file, like this:

Select-String “C:\Inetpub\logs\LogFiles\W3SVC1\u_ex1304*.log” -Pattern “/owa/forms/premium/startpage.aspx” | Select-Object {$_.ToString().Split(” “)[6]} > c:\test.txt

Fourthly, the array member [6] assumes that you log file entries have the user name at position 6, like this (you may need to read the next line carefully, or just ignore it, and find out by trial and error):

2013-04-25 10:46:01 GET /owa/forms/premium/StartPage.aspx &Initial+Budget>>Conn:1,HangingConn:0,AD:18000/18000/0%,CAS:90000/90000/0%,AB:18000/18000/0%,RPC:90000/90000/0%,FC:1000/0,Policy:DefaultThrottlingPolicy_e68d5638-ddb2-4d2f-8843-c2aba845c117,Norm&v=14.2.342.3&mbx=servername.yourdomain.com&sessionId=2c92cd739b3c4b38abf09fcce3d0b7cd&prfltncy=365&prfrpccnt=44&prfrpcltncy=239&prfldpcnt=9&prfldpltncy=46&prfavlcnt=0&prfavlltncy=0&End+Budget>>Conn:1,HangingConn:0,AD:18000/17993/1%,CAS:90000/89755/1%,AB:18000/18000/0%,RPC:90000/89819/1%,FC:1000/0,Policy:DefaultThrottlingPolicy_e68d5638-ddb2-4d2f-8843-c2aba845c117,Norm[Resources:(Mdb)MBX(Health:-1%,HistLoad:0),(DC)servername.yourdomain.com(Health:-1%,HistLoad:0),];GC:1/0/0; 443 yourusername 192.168.1.8 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Trident/4.0;+BTRS100021;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+.NET4.0C;+.NET4.0E) http://servername/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fservername%2fowa%2f 200 0 0


One Response to Use Powershell To Find Out Who’s Used Your Outlook Web App Recently

  1. Gino K├╝hne says:

    Hi
    Thank you very very much for your articel here on this site.
    I send you greetings from switzerland,
    Gino




Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>