PowerShell and User Access Logging

PowerShell and User Access Logging

  • Comments 1
  • Likes

Summary: Learn about using Windows PowerShell to manage the new User Access Logging feature in Windows Server 2012.

Microsoft Scripting Guy, Ed Wilson, is here. Today we have as our guest blogger, Brent Forman. Here is a little bit about Brent.

Photo of Brent Forman

Brent Forman is senior program manager in the Windows Server division at Microsoft. Brent has extensive experience in large scale IT operations and management through working in Windows Server for more than eight years and providing leadership to internal R&D datacenter operations across the Microsoft Server and Tools business.

User Access Logging (UAL) in Windows Server 2012 presents new opportunities to IT Pros by providing an at-a-glance view of server role client demand within an enterprise environment. This can help IT Pros understand and optimize server resource usage and identify potential bottlenecks and gaps across an IT infrastructure. User Access Logging fundamentally aggregates basic usage tracking of a server’s roles by measuring client requests over time of a local Windows Server 2012 installation. This blog post is intended to show how using a few quick Windows PowerShell cmdlets can give you the data you need to easily quantify client requests over time, for a specific role or application, on a specific server.

UAL architecture

The UAL service logs unique client access requests, in the form of IP addresses and user names, of server roles on the local Windows Server 2012. Client access request events are aggregated and stored locally in near real time (a separate database is not required). This information can then be queried locally or remotely via Windows PowerShell or WMI, by a user with administrative privileges.

Notes  By design, there is a default 24-hour delay before events can be retrieved by Windows PowerShell cmdlets or WMI queries. The UAL service’s default configuration is to start, run, and collect data. No UAL data is sent to Microsoft. This service is intended for administrators only.

Image of design

UAL Windows PowerShell cmdlets

The following are the main cmdlets you will use.

  • Get-UalOverview  Retrieves and displays basic UAL data for all installed server roles (except DNS and Hyper-V, which have separate, dedicated UAL cmdlets)
  • Get-UalUserAccess  Retrieves and displays UAL data by client user names and roles
  • Get-UalDailyUserAccess  Retrieves and displays UAL data by client user name and date
  • Get-UalDeviceAccess  Retrieves and displays UAL data by client device IP and roles
  • Get-UalDailyDeviceAccess  Retrieves and displays UAL data by client device IP and date

See Managing User Access Logging for a complete list of UAL cmdlets.

Note  Be sure to check out Get-UalSystemId to see what is provided there that might meet your needs.

Of particular interest to the IT Pro would be the ActivityCount and AccessCount output for the last four cmdlets in the previous list. For remote administrator retrieval, exposing this data is a potential gold mine to assist with planning server resources efficiently.

Data that is retrieved with these cmdlets can help an administrator answer questions like:

  • Which server is getting the most requests from clients?
  • Which server is getting the most requests from unique clients vs. generic clients?
  • What server roles are getting the most activity and at what point in the cycle (for example: day, week, quarter, or year)?
  • Coupled with performance tool data, at what point do new resources need to be brought to bear, or at what point in the cycle?
  • Which clients are the most active in my environment?
  • How efficiently are my current servers being used? Does the load warrant a separate dedicated server?

UAL Windows PowerShell cmdlet examples and output

Get-UalOverview is meant as a quick inventory of what is installed on a server and what is active. Most of the server roles will appear in the output, but only those with an entry for FirstSeen and LastSeen are installed and actively servicing client requests. The use of this cmdlet and a typical output are shown here (for brevity, only File Server and BranchCache are shown in the output). In this example, File Server is installed and actively servicing client requests, and BranchCache is not.

PS C:\> Get-UalOverview

 

FirstSeen   : 7/14/2012 11:41:21 AM

GUID      : 10a9226f-50ee-49d8-a393-9a501d47ce04

LastSeen    : 8/18/2012 10:41:01 PM

ProductName  : Windows Server 2012 Datacenter

RoleName    : File Server

PSComputerName :

 

FirstSeen   :

GUID      : 910cbaf9-b612-4782-a21f-f7c75105434a

LastSeen    :

ProductName  : Windows Server 2012 Datacenter

RoleName    : BranchCache

PSComputerName :

 

…………

Get-UalDeviceAccess and Get-UalUserAccess output data that is centric to client users and client devices that are specific to server roles and applications. They provide first and last “seen” data per client. The use of these cmdlets and typical output is shown here. This example shows all the data that is unique to testuser1, and separately, all the data that is unique to testuser2.

PS C:\> Get-UalUserAccess –RoleName “File Server”

 

ActivityCount  : 18

FirstSeen    : 7/14/2012 11:41:21 AM

LastSeen     : 8/18/2012 10:41:00 PM

ProductName   : Windows Server 2012 Datacenter

RoleGuid     : 10a9226f-50ee-49d8-a393-9a501d47ce04

RoleName     : File Server

TenantIdentifier : 00000000-0000-0000-0000-000000000000

UserName     : testdomain\testuser1

PSComputerName  :

 

ActivityCount  : 83

FirstSeen    : 7/14/2012 11:51:11 AM

LastSeen     : 8/18/2012 10:41:01 PM

ProductName   : Windows Server 2012 Datacenter

RoleGuid     : 10a9226f-50ee-49d8-a393-9a501d47ce04

RoleName     : File Server

TenantIdentifier : 00000000-0000-0000-0000-000000000000

UserName     : testdomain\testuser2

PSComputerName  :

Although the Device and User “Access” cmdlets are paired with “Daily” versions, their intended use and output can be quite different. The “Daily” cmdlets, Get-UalDailyUserAccess and Get-UalDailyDeviceAccess, are provided to allow administrators to query a specific day or date range. To use these cmdlets to query a range, we must call into WMI from Windows PowerShell (for brevity, only the output for one user, on one day, is shown).

PS C:\> GWMI MsftUal_DailyUserAccess –ns root\AccessLogging –filter "AccessDate >= '7/14/2012' and AccessDate <= '8/15/2012'"

 

__GENUS     : 2

__CLASS     : MsftUal_DailyUserAccess

__SUPERCLASS   :

__DYNASTY    : MsftUal_DailyUserAccess

__RELPATH    : MsftUal_DailyUserAccess.UserName="testdomain\\testuser1"

__PROPERTY_COUNT : 6

__DERIVATION   : {}

__SERVER     : testcomputer

__NAMESPACE   : root\AccessLogging

__PATH      : \\testcomputer\root\AccessLogging:MsftUal_DailyUserAccess.UserName="testdomain\\testuser1"

AccessCount   : 32

AccessDate    : 20120714184121.000000+000

ProductName   : Windows Server 2012 Datacenter

RoleGuid     : 10a9226f-50ee-49d8-a393-9a501d47ce04

RoleName     : File Server

UserName     : testdomain\testuser1

PSComputerName  : testcomputer

 

……………

UAL does not measure or expose the relative impact of any client activity or access on a system; however, for any role, an administrator could correlate this data with performance data for an infrastructure system and develop custom metrics that are specific to their environment.

Additional references

For more documentation about UAL, see the following topics in the Windows Server TechCenter:

User Access Logging Overview

Manage User Access Logging

User Access Logging and Resulting Internet Communication in Windows Server 2012

Also see the following topic in the Windows Dev Center:

User Access Logging

In addition, the Microsoft Assessment and Planning Toolkit enables you to consume, aggregate across a deployment of many servers, and generate reports of the data. To download this toolkit, see Microsoft Assessment and Planning Toolkit in the Microsoft Download Center.

~Brent

Thank you, Brent! This is a way cool feature and a great explanation.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment