Udostępnij za pośrednictwem


Pulling out users who are connecting using Outlook 2003 in your Exchange 2010 environment

I have had many customers work their way out in pulling the information of what client is being used by various users in their Exchange 2010 environment. Especially Outlook 2003 clients. As if you have Outlook 2003 in your environment, you will not be able to go with Exchange upgrade to a new version.

Outlook 2003 is not supported with Exchange 2013 or even Office365.

One of the most easiest and fastest way of getting that information is by parsing the RPC Client Access logs using Log Parser Studio (LPS) tool written by Kary Wall. You can know more about what are the updates to this by adding yourself into RSS feeds on this https://blogs.technet.com/b/karywa/archive/tags/log+parser+studio/

You can find more information about usage of LPS could be found in the article mentioned https://blogs.technet.com/b/exchange/archive/2012/03/07/introducing-log-parser-studio.aspx and https://blogs.technet.com/b/exchange/archive/2013/06/17/log-parser-studio-2-2-is-now-available.aspx

A pre-requisite for LPS to work is Log parser to be installed on the machine you are using LPS. You can download and install Log parser from https://www.microsoft.com/en-us/download/details.aspx

LPS uses Log parser in the background. LPS is a GUI mode representation of what Log Parser can do in terms of parsing through Exchange related logs. To understand more, I would definitely recommend going through the https://blogs.technet.com/b/exchange/archive/2013/06/17/log-parser-studio-2-2-is-now-available.aspx mentioned earlier and download the LPS tool.

Now, that we have covered the way to download LPS, I will dig into going through RPC Client Access Logs.

The RPC Client Access Logs are saved by default in the directory mentioned inside the file Microsoft.Exchange.RPCClientAccess.Service.exe.config file located inside your Bin folder.

To pull the information about where we have our Exchange install directory on a specific server, you could open your Exchange management shell and Run $exinstall

The logging is by default enabled on Exchange 2010 servers. You could see the setting "ProtocolLoggingEnabled" set to "true" in the above config file image.

Now, if you open up the RPC client access logs that are generated inside the logging directory, you get to see various fields.

A few of the fields which will be of use to us in this specific activity are:

1. client-name - User Distinguished name (UserDN)

2. client-software - the software that is connecting to the server (eg: outlook.exe, communicator.exe etc)

3. client-software-version - the version of software connecting to the server (eg: 11.*.*.*, 12.*.*.*, 14.*.*.*, 15.*.*.* etc., )

4. client-ip - IP address of the machine from which the software mentioned above is connecting to the server.

Now, there are a couple of ways of getting the information about users/machine IPs connecting to your environment.

One is a manual, old fashioned, time consuming and boring way of using Excel to get the fields you need.

Other is a quick (did I say quick? well, it flies), modern way of using LPS (let LPS do the job for you) - which we will be discussing in the post here.

I prefer to generally copy the log files to a location on my local machine before I go through any log files.

But, LPS also has this facility where you specify the share location and it can read through the logs on the share and still give you good results (will be a little slow as network latency will play its role here especially going across the WAN if you are specifying the logs on remote site servers)

Once you decide to either copy the log files locally or use file share to use a remote location share, we get into LPS tool.

When you open LPS, it shows up the main page.

 

We will use a custom query to pull this information out from RPC Client Access Server.

Click on Create New Query option on Top of the page.

It opens up another tab as shown in the image below

In the new query tab, select the Log Type: from "NOTSET" to " EELLOG"

and copy paste the Query mentioned below.

SELECT DISTINCT TO_LOWERCASE(Client-Software) as Software, TO_LOWERCASE (Client-Software-Version) as Version, TO_LOWERCASE(Client-Name) as UserDN, Client-Ip

FROM '[LOGFILEPATH]'

WHERE Software IS NOT NULL

AND Client-IP IS NOT NULL

AND Version LIKE '11.0%'

AND Software LIKE 'outlook.exe%'

ORDER BY Version Asc

Explaining the query written above.

We are selecting 4 different columns. Client-Software as Software, Client-Software-Version as Version, Client-Name as UserDN and Client-IP

Now, click on Log shown on top as shown in the image below.

As soon as you click on the Log, it opens up a popup window as shown below.

Click on Add folder and browse a the server share to the location where RPC Client Access Logs are saved or select a local directory where you have the log files saved.

Selecting a server share:

Or selecting from a local directory:

Click Open

You could add multiple folders as well.

Once all the folders are selected, as shown below, you can click on OK

After this, you click on Execute on the top of the LPS page

Now, sit back while LPS is doing its parsing. It should get you the information that you asked for in the Query mentioned above.

You could use this data to identify the Machine IP address and the users using those machines which has Outlook 2003 to access the mailbox on Exchange 2010.

The Versions are explained below

Client Version number

Friendly Name

11.0.5604.0

Outlook 2003

11.0.6352.0

Outlook 2003 SP1

11.0.6555.0

Outlook 2003 SP2

11.0.8000.0

Outlook 2003 SP2

11.0.8161.0

Outlook 2003 SP3

11.0.8200.0

Outlook 2003 SP3

11.0.8303.0

Outlook 2003 SP3

If you notice any of the above versions in the output, it means that there are outlook 2003 clients connecting to the server and it needs to be upgraded ASAP.

- Akshay Katti

Comments

  • Anonymous
    January 01, 2003
    Thank you Peter.

    Given below are the reasons why not to use Get-LogonStatistics

    1. It is the present clients connected to the server and might not give you information of who all connected historically (which only get saved in the logs)
    2. Get-LogonStatistics does not give you client version information correctly and it gives something like below.

    UserName ClientVersion LastAccessTime ServerName
    Akshay Katti 3587.0.32963.1 5/5/2015 20:56 Server1
    Kary Wall 3587.0.32963.1 5/5/2015 22:20 Server1
    James Bond 3587.0.32992.2 5/5/2015 20:52 Server1
    User-121 3587.0.32963.1 5/2/2015 20:17 Server2
    User223 3587.0.32963.1 5/5/2015 20:55 Server2
    User444 3587.0.32992.2 5/2/2015 12:37 Server2

    This was pulled out in my lab and hence not a lot of users you see. But still, the ClientVersion that you see here is something very difficult to digest. It would also be not possible to pull the information of client machines from Get-LogonStatistics. Which is a big plus point for going with LPS approach. Admins will use this information to identify which machines are having 2003 clients.

    Let me know if you have any questions!
  • Anonymous
    January 01, 2003
    Hi,
    wow - very cool information. But why not just running this command on your Exchange 2007/2010 Servers:
    Get-MailboxServer | Get-LogonStatistics | Select UserName,ClientVersion,LastAccessTime,ServerName
    Regards, Peter
  • Anonymous
    May 26, 2015
    Thanks - this is very useful.