Summary: Learn about using Windows PowerShell to manage the new User Access Logging feature in Windows Server 2012.
Microsoft Scripting Guy, Ed Wilson, is here. Today we have as our guest blogger, Brent Forman. Here is a little bit about Brent.
Brent Forman is senior program manager in the Windows Server division at Microsoft. Brent has extensive experience in large scale IT operations and management through working in Windows Server for more than eight years and providing leadership to internal R&D datacenter operations across the Microsoft Server and Tools business.
User Access Logging (UAL) in Windows Server 2012 presents new opportunities to IT Pros by providing an at-a-glance view of server role client demand within an enterprise environment. This can help IT Pros understand and optimize server resource usage and identify potential bottlenecks and gaps across an IT infrastructure. User Access Logging fundamentally aggregates basic usage tracking of a server’s roles by measuring client requests over time of a local Windows Server 2012 installation. This blog post is intended to show how using a few quick Windows PowerShell cmdlets can give you the data you need to easily quantify client requests over time, for a specific role or application, on a specific server.
UAL architecture
The UAL service logs unique client access requests, in the form of IP addresses and user names, of server roles on the local Windows Server 2012. Client access request events are aggregated and stored locally in near real time (a separate database is not required). This information can then be queried locally or remotely via Windows PowerShell or WMI, by a user with administrative privileges.
Notes By design, there is a default 24-hour delay before events can be retrieved by Windows PowerShell cmdlets or WMI queries. The UAL service’s default configuration is to start, run, and collect data. No UAL data is sent to Microsoft. This service is intended for administrators only.
UAL Windows PowerShell cmdlets
The following are the main cmdlets you will use.
- Get-UalOverview Retrieves and displays basic UAL data for all installed server roles (except DNS and Hyper-V, which have separate, dedicated UAL cmdlets)
- Get-UalUserAccess Retrieves and displays UAL data by client user names and roles
- Get-UalDailyUserAccess Retrieves and displays UAL data by client user name and date
- Get-UalDeviceAccess Retrieves and displays UAL data by client device IP and roles
- Get-UalDailyDeviceAccess Retrieves and displays UAL data by client device IP and date
See Managing User Access Logging for a complete list of UAL cmdlets.
Note Be sure to check out Get-UalSystemId to see what is provided there that might meet your needs.
Of particular interest to the IT Pro would be the ActivityCount and AccessCount output for the last four cmdlets in the previous list. For remote administrator retrieval, exposing this data is a potential gold mine to assist with planning server resources efficiently.
Data that is retrieved with these cmdlets can help an administrator answer questions like:
- Which server is getting the most requests from clients?
- Which server is getting the most requests from unique clients vs. generic clients?
- What server roles are getting the most activity and at what point in the cycle (for example: day, week, quarter, or year)?
- Coupled with performance tool data, at what point do new resources need to be brought to bear, or at what point in the cycle?
- Which clients are the most active in my environment?
- How efficiently are my current servers being used? Does the load warrant a separate dedicated server?
UAL Windows PowerShell cmdlet examples and output
Get-UalOverview is meant as a quick inventory of what is installed on a server and what is active. Most of the server roles will appear in the output, but only those with an entry for FirstSeen and LastSeen are installed and actively servicing client requests. The use of this cmdlet and a typical output are shown here (for brevity, only File Server and BranchCache are shown in the output). In this example, File Server is installed and actively servicing client requests, and BranchCache is not.
PS C:\> Get-UalOverview
FirstSeen : 7/14/2012 11:41:21 AM
GUID : 10a9226f-50ee-49d8-a393-9a501d47ce04
LastSeen : 8/18/2012 10:41:01 PM
ProductName : Windows Server 2012 Datacenter
RoleName : File Server
PSComputerName :
FirstSeen :
GUID : 910cbaf9-b612-4782-a21f-f7c75105434a
LastSeen :
ProductName : Windows Server 2012 Datacenter
RoleName : BranchCache
PSComputerName :
…………
Get-UalDeviceAccess and Get-UalUserAccess output data that is centric to client users and client devices that are specific to server roles and applications. They provide first and last “seen” data per client. The use of these cmdlets and typical output is shown here. This example shows all the data that is unique to testuser1, and separately, all the data that is unique to testuser2.
PS C:\> Get-UalUserAccess –RoleName “File Server”
ActivityCount : 18
FirstSeen : 7/14/2012 11:41:21 AM
LastSeen : 8/18/2012 10:41:00 PM
ProductName : Windows Server 2012 Datacenter
RoleGuid : 10a9226f-50ee-49d8-a393-9a501d47ce04
RoleName : File Server
TenantIdentifier : 00000000-0000-0000-0000-000000000000
UserName : testdomain\testuser1
PSComputerName :
ActivityCount : 83
FirstSeen : 7/14/2012 11:51:11 AM
LastSeen : 8/18/2012 10:41:01 PM
ProductName : Windows Server 2012 Datacenter
RoleGuid : 10a9226f-50ee-49d8-a393-9a501d47ce04
RoleName : File Server
TenantIdentifier : 00000000-0000-0000-0000-000000000000
UserName : testdomain\testuser2
PSComputerName :
Although the Device and User “Access” cmdlets are paired with “Daily” versions, their intended use and output can be quite different. The “Daily” cmdlets, Get-UalDailyUserAccess and Get-UalDailyDeviceAccess, are provided to allow administrators to query a specific day or date range. To use these cmdlets to query a range, we must call into WMI from Windows PowerShell (for brevity, only the output for one user, on one day, is shown).
PS C:\> GWMI MsftUal_DailyUserAccess –ns root\AccessLogging –filter "AccessDate >= '7/14/2012' and AccessDate <= '8/15/2012'"
__GENUS : 2
__CLASS : MsftUal_DailyUserAccess
__SUPERCLASS :
__DYNASTY : MsftUal_DailyUserAccess
__RELPATH : MsftUal_DailyUserAccess.UserName="testdomain\\testuser1"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : testcomputer
__NAMESPACE : root\AccessLogging
__PATH : \\testcomputer\root\AccessLogging:MsftUal_DailyUserAccess.UserName="testdomain\\testuser1"
AccessCount : 32
AccessDate : 20120714184121.000000+000
ProductName : Windows Server 2012 Datacenter
RoleGuid : 10a9226f-50ee-49d8-a393-9a501d47ce04
RoleName : File Server
UserName : testdomain\testuser1
PSComputerName : testcomputer
……………
UAL does not measure or expose the relative impact of any client activity or access on a system; however, for any role, an administrator could correlate this data with performance data for an infrastructure system and develop custom metrics that are specific to their environment.
Additional references
For more documentation about UAL, see the following topics in the Windows Server TechCenter:
User Access Logging and Resulting Internet Communication in Windows Server 2012
Also see the following topic in the Windows Dev Center:
In addition, the Microsoft Assessment and Planning Toolkit enables you to consume, aggregate across a deployment of many servers, and generate reports of the data. To download this toolkit, see Microsoft Assessment and Planning Toolkit in the Microsoft Download Center.
~Brent
Thank you, Brent! This is a way cool feature and a great explanation.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy