![\"Photo](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/6712.Brent.jpg\" "\\"Photo")
<\/a><\/p>\nBrent Forman is senior program manager in the Windows Server division at Microsoft. Brent has extensive experience in large scale IT operations and management through working in Windows Server for more than eight years and providing leadership to internal R&D datacenter operations across the Microsoft Server and Tools business.<\/p>\n
User Access Logging<\/b> (UAL) in Windows Server 2012 presents new opportunities to IT Pros by providing an at-a-glance view of server role client demand within an enterprise environment. This can help IT Pros understand and optimize server resource usage and identify potential bottlenecks and gaps across an IT infrastructure. User Access Logging<\/b> fundamentally aggregates basic usage tracking of a server’s roles by measuring client requests over time of a local Windows Server 2012 installation. This blog post is intended to show how using a few quick Windows PowerShell cmdlets can give you the data you need to easily quantify client requests over time, for a specific role or application, on a specific server.<\/p>\nUAL architecture<\/h2>\n
The UAL service logs unique client access requests, in the form of IP addresses and user names, of server roles on the local Windows Server 2012. Client access request events are aggregated and stored locally in near real time (a separate database is not required). This information can then be queried locally or remotely via Windows PowerShell or WMI, by a user with administrative privileges.<\/p>\n
Notes<\/b> By design, there is a default 24-hour delay before events can be retrieved by Windows PowerShell cmdlets or WMI queries. The UAL service’s default configuration is to start, run, and collect data. No UAL data is sent to Microsoft. This service is intended for administrators only.<\/p>\n
The following are the main cmdlets you will use.<\/p>\n See Managing User Access Logging<\/a> for a complete list of UAL cmdlets.<\/p>\n Note<\/b> Be sure to check out Get-UalSystemId<\/b> to see what is provided there that might meet your needs.<\/p>\n Of particular interest to the IT Pro would be the ActivityCount<\/b> and AccessCount<\/b> output for the last four cmdlets in the previous list. For remote administrator retrieval, exposing this data is a potential gold mine to assist with planning server resources efficiently.<\/p>\n Data that is retrieved with these cmdlets can help an administrator answer questions like:<\/p>\n Get-UalOverview<\/b> is meant as a quick inventory of what is installed on a server and what is active. Most of the server roles will appear in the output, but only those with an entry for FirstSeen<\/b> and LastSeen<\/b> are installed and actively servicing client requests. The use of this cmdlet and a typical output are shown here (for brevity, only File Server and BranchCache are shown in the output). In this example, File Server is installed and actively servicing client requests, and BranchCache is not.<\/p>\n PS C:\\> Get-UalOverview<\/p>\n <\/p>\n FirstSeen : 7\/14\/2012 11:41:21 AM<\/p>\n GUID : 10a9226f-50ee-49d8-a393-9a501d47ce04<\/p>\n LastSeen : 8\/18\/2012 10:41:01 PM<\/p>\n ProductName : Windows Server 2012 Datacenter<\/p>\n RoleName : File Server<\/p>\n PSComputerName :<\/p>\n <\/p>\n FirstSeen :<\/p>\n GUID : 910cbaf9-b612-4782-a21f-f7c75105434a<\/p>\n LastSeen :<\/p>\n ProductName : Windows Server 2012 Datacenter<\/p>\n RoleName : BranchCache<\/p>\n PSComputerName :<\/p>\n <\/p>\n …………<\/p>\n Get-UalDeviceAccess<\/b> and Get-UalUserAccess<\/b> output data that is centric to client users and client devices that are specific to server roles and applications. They provide first and last “seen” data per client. The use of these cmdlets and typical output is shown here. This example shows all the data that is unique to testuser1<\/b>, and separately, all the data that is unique to testuser2<\/b>.<\/p>\n PS C:\\> Get-UalUserAccess –RoleName “File Server”<\/p>\n <\/p>\n ActivityCount : 18<\/p>\n FirstSeen : 7\/14\/2012 11:41:21 AM<\/p>\n LastSeen : 8\/18\/2012 10:41:00 PM<\/p>\n ProductName : Windows Server 2012 Datacenter<\/p>\n RoleGuid : 10a9226f-50ee-49d8-a393-9a501d47ce04<\/p>\n RoleName : File Server<\/p>\n TenantIdentifier : 00000000-0000-0000-0000-000000000000<\/p>\n UserName : testdomain\\testuser1<\/p>\n PSComputerName :<\/p>\n <\/p>\n ActivityCount : 83<\/p>\n FirstSeen : 7\/14\/2012 11:51:11 AM<\/p>\n LastSeen : 8\/18\/2012 10:41:01 PM<\/p>\n ProductName : Windows Server 2012 Datacenter<\/p>\n RoleGuid : 10a9226f-50ee-49d8-a393-9a501d47ce04<\/p>\n RoleName : File Server<\/p>\n TenantIdentifier : 00000000-0000-0000-0000-000000000000<\/p>\n UserName : testdomain\\testuser2<\/p>\n PSComputerName :<\/p>\n Although the Device and User “Access” cmdlets are paired with “Daily” versions, their intended use and output can be quite different. The “Daily” cmdlets, Get-UalDailyUserAccess<\/b> and Get-UalDailyDeviceAccess<\/b>, are provided to allow administrators to query a specific day or date range. To use these cmdlets to query a range, we must call into WMI from Windows PowerShell (for brevity, only the output for one user, on one day, is shown).<\/p>\n PS C:\\> GWMI MsftUal_DailyUserAccess –ns root\\AccessLogging –filter “AccessDate >= ‘7\/14\/2012’ and AccessDate <= ‘8\/15\/2012′”<\/p>\n <\/p>\n __GENUS : 2<\/p>\n __CLASS : MsftUal_DailyUserAccess<\/p>\n __SUPERCLASS :<\/p>\n __DYNASTY : MsftUal_DailyUserAccess<\/p>\n __RELPATH : MsftUal_DailyUserAccess.UserName=”testdomain\\\\testuser1″<\/p>\n __PROPERTY_COUNT : 6<\/p>\n __DERIVATION : {}<\/p>\n __SERVER : testcomputer<\/p>\n __NAMESPACE : root\\AccessLogging<\/p>\n __PATH : \\\\testcomputer\\root\\AccessLogging:MsftUal_DailyUserAccess.UserName=”testdomain\\\\testuser1<\/a>“<\/p>\n AccessCount : 32<\/p>\n AccessDate : 20120714184121.000000+000<\/p>\n ProductName : Windows Server 2012 Datacenter<\/p>\n RoleGuid : 10a9226f-50ee-49d8-a393-9a501d47ce04<\/p>\n RoleName : File Server<\/p>\n UserName : testdomain\\testuser1<\/p>\n PSComputerName : testcomputer<\/p>\n <\/p>\n ……………<\/p>\n UAL does not measure or expose the relative impact of any client activity or access on a system; however, for any role, an administrator could correlate this data with performance data for an infrastructure system and develop custom metrics that are specific to their environment.<\/p>\n For more documentation about UAL, see the following topics in the Windows Server TechCenter:<\/p>\n User Access Logging Overview<\/a><\/p>\n Manage User Access Logging<\/a><\/p>\n User Access Logging and Resulting Internet Communication in Windows Server 2012<\/a><\/p>\n Also see the following topic in the Windows Dev Center:<\/p>\n User Access Logging<\/a><\/p>\n In addition, the Microsoft Assessment and Planning Toolkit enables you to consume, aggregate across a deployment of many servers, and generate reports of the data. To download this toolkit, see Microsoft Assessment and Planning Toolkit<\/a> in the Microsoft Download Center.<\/p>\n ~Brent<\/p>\n Thank you, Brent! This is a way cool feature and a great explanation.<\/p>\n I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n Ed Wilson, Microsoft Scripting Guy<\/b> <\/p>\n","protected":false},"excerpt":{"rendered":" Summary: Learn about using Windows PowerShell to manage the new User Access Logging feature in Windows Server 2012. Microsoft Scripting Guy, Ed Wilson, is here. Today we have as our guest blogger, Brent Forman. Here is a little bit about Brent. Brent Forman is senior program manager in the Windows Server division at Microsoft. Brent […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[371,56,3,198,61,45,368],"class_list":["post-4963","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-brent-forman","tag-guest-blogger","tag-scripting-guy","tag-users","tag-weekend-scripter","tag-windows-powershell","tag-windows-server-2012"],"acf":[],"blog_post_summary":" Summary: Learn about using Windows PowerShell to manage the new User Access Logging feature in Windows Server 2012. Microsoft Scripting Guy, Ed Wilson, is here. Today we have as our guest blogger, Brent Forman. Here is a little bit about Brent. Brent Forman is senior program manager in the Windows Server division at Microsoft. Brent […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/4963","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=4963"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/4963\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=4963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=4963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=4963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a><\/p>\nUAL Windows PowerShell cmdlets<\/h2>\n
\n
\n
UAL Windows PowerShell cmdlet examples and output<\/h2>\n
Additional references<\/h3>\n