Tip: How do you find out who are the users in your HMC environment doing MAPI access?

  • [アーティクル]

Typically in a corporate environment, to find out who are the users using Outlook MAPI access and the version, you can Microsoft Exchange Server User Monitor, or ExMon (https://www.microsoft.com/downloads/details.aspx?familyid=9A49C22E-E0C7-4B7C-ACEF-729D48AF7BC9&displaylang=en).

ExMon is really good to gather real time data but may not be good tool if you want to find out who has been doing MAPI access for the past say 3 months. Unfortunately, there is really no good tool to do that right now in a corporate environment. In HMC, the story may be a bit different because one of the good things about Hosted Exchange in HMC is that all client traffics will go through CAS, whether it is MAPI, POP3, OWA and etc.

In HMC, MAPI access comes in the form of Outlook Anywhere or RPC over HTTPs. Because of that, we can harvest the data by looking at the IIS log. When it comes to reviewing the IIS Log, you can't run away from tapping into the power of the LogParser. All you have to do is to identify the specific pattern for example, the following should give you a list of users that have logged on through RPC over HTTPs or Outlook Anywhere.

Logparser.exe" -i:IISW3C -o:CSV "SELECT DISTINCT cs-username from ex090402.log where cs(User-Agent) LIKE '%MSRPC%'"

Of course, you can also run it against a list of files by doing *.log instead of specifying a specific log file.

If you can identify other patterns such as Outlook 2007 will always try to connect to the web services (whereas older versions of Outlook do not do that), then you can do the same as well such as the following,

 Logparser.exe" -i:IISW3C -o:CSV "SELECT DISTINCT cs-username from ex090402.log where cs-uri-stem LIKE '%Exchange.asmx%'"

There are other examples but I will leave it to you all to explore. You can find more examples here too, https://msexchangeteam.com/archive/2007/09/12/446982.aspx.

Comments