Get Started with User Access Logging

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

User Access Logging (UAL) is feature in Windows Server that aggregates client usage data by role and products on a local server. It helps Windows server administrators quantify requests from client computers for roles and services on a local server.

UAL is installed and enabled by default, and collects data in nearly real-time. No administrator configuration is required, although UAL can be disabled or enabled. For more information, see Manage User Access Logging. The User Access Logging service aggregates client usage data by roles and products into local database files. IT administrators can later use Windows Management Instrumentation (WMI) or Windows PowerShell cmdlets to retrieve quantities and instances by server role (or software product), by user, by device, by the local server, and by date.

Practical applications

UAL aggregates unique client device and user request events that are logged into a local database. These records are then made available (through a query by a server administrator) to retrieve quantities and instances by server role, by user, by device, by the local server, and by date. In addition, UAL has been extended to enable non-Microsoft software developers to instrument their UAL events to be aggregated by Windows Server.

UAL can perform the following tasks:

  • Quantify client user requests for local physical or virtual servers.

  • Quantify client user requests for installed software products on a local physical or virtual server.

  • Retrieve data on a local server running Hyper-V to identify periods of high and low demand on a Hyper-V virtual computer.

  • Retrieve UAL data from multiple remote servers.

In addition, software developers can instrument UAL events that can then be aggregated and retrieved by using WMI and Windows PowerShell interfaces.

The following server roles and services can be supported by UAL:

  • Active Directory Certificate Services (AD CS)

  • Active Directory Rights Management Services (AD RMS)

  • BranchCache

  • Domain Name System (DNS)

    Note

    UAL collects DNS data every 24 hours, and there is a separate UAL cmdlet for this scenario.

  • Dynamic Host Configuration Protocol (DHCP)

  • Fax Server

  • File Services

  • File Transfer Protocol (FTP) Server

  • Hyper-V

    Note

    UAL collects Hyper-V data every 24 hours, and there is a separate UAL cmdlet for this scenario.

  • Web Server (IIS)

    Warning

    To use UAL with IIS, you must use iisual.exe. For more information, see Analyzing Client Usage Data with IIS User Access Logging.

  • Microsoft Message Queue (MSMQ) Services

  • Network Policy and Access Services

  • Print and Document Services

  • Routing and Remote Access Service (RRAS)

  • Windows Deployment Services (WDS)

  • Windows Server Update Services (WSUS)

Important

UAL is not recommended for use on servers that are connected directly to the Internet, such as web servers on an Internet-accessible address space, or in scenarios where extremely high performance is the primary function of the server (such as in HPC workload environments). UAL is primarily intended for small, medium, and enterprise intranet scenarios where high volume is expected, but not as high as deployments that serve Internet-facing traffic volume on a regular basis.

Important functionality

The following table describes key functions of UAL and their potential value.

Functionality Value
Collect and aggregate client request event data in near real-time. Up to three years of data can be saved. Important: Administrators need to enforce compliance of the data collected and data retention periods with the organization's privacy policy and local regulations.
Query UAL by using WMI or Windows PowerShell interfaces to retrieve client request data on a local or remote server. UAL enables a single view of ongoing usage data. Server and enterprise administrators can retrieve this data and coordinate with business administrators to optimize use of their volume software licenses.
Enabled by default. Server administrators do not need to configure or otherwise set up this feature for all core functionality to be available and working.

Data logged with UAL

The following user-related data is logged with UAL.

Data Description
UserName The user name on the client that accompanies the UAL entries from installed roles and products, if applicable.
ActivityCount The number of times a particular user accessed a role or service.
FirstSeen The date and time when a user first accesses a role or service.
LastSeen The date and time when a user last accessed a role or service.
ProductName The name of the software parent product, such as Windows, that is providing UAL data.
RoleGUID The UAL assigned or registered GUID that represents the server role or installed product.
RoleName The name of the role, component, or subproduct that is providing UAL data. This is also associated with a ProductName and a RoleGUID.
TenantIdentifier A unique GUID for a tenant client of an installed role or product that accompanies the UAL data, if applicable.

The following device-related data is logged with UAL.

Data Description
IPAddress The IP address of a client device that is used to access a role or service.
ActivityCount The number of times a particular device accessed the role or service.
FirstSeen The date and time when an IP address was first used to access a role or service.
LastSeen The date and time when an IP address was last used to access a role or service.
ProductName The name of the software parent product, such as Windows, that is providing UAL data.
RoleGUID The UAL-assigned or registered GUID that represents the server role or installed product.
RoleName The name of the role, component, or subproduct that is providing UAL data. This is also associated with a ProductName and a RoleGUID.
TenantIdentifier A unique GUID for a tenant client of an installed role or product that accompanies the UAL data, if applicable.

Software requirements

UAL can be used on any computer running versions of Windows Server after Windows Server 2012.

Additional References

User Access Logging on MSDN. Manage User Access Logging