Skip to main content

Displaying the Logon Status using Data shaping via ADSI and the Exchange_Logon WMI Class in Exchange 2003

Being able to display logon information via the various Exchange administrator tools has been around for a while but until Exchange 2003 there was never any scriptable interface you could use to display this data . Although for various reasons this data is never 100% accurate it can be used to get an indication of who’s logged onto the server and what client they are using. If you shape the data you can retrieve using Exchange_logon with a full list of mailboxes on that server retrieved via ADSI then you can get a bit more of a clear picture as to who is logged on, who is not logged on, how many people are logged on to one particular mailbox, how they are logged on (OWA or Outlook) and what version of outlook they are using.

The script itself uses the same ADO data shaping techniques I described in this post. Some different bits and pieces that have been added to this script are

Front End
The Front end of the code accepts two command line variables the first is the severname of the Exchange server you want to run it against and the second is the type of logon you want to report on. With the second parameter there are 5 options which should be self explanatory

OWA -Show user logged on via Outlook Web Access"
Outlook -Show users logged on via Outlook"
Loggedon -Show All logged on Users"
Loggedout -Show Users not Logged On"
ALL -Show all users Logged in and Out"

Displaying the Outlook version

The Exchange_Logon class displays the version of Outlook that is being used by the client to connect to exchange. There is a complete list of which versions relates to which Outlook build on http://www.cdolive.com/build.htm . I’ve taken this list and dropped it into a Case statement in the script so I can display the friendly Outlook build name instead of the the build version number. If you are using a build number not on the list then the script should just output the version number

Displaying IP address and Cache/Online Mode if the client is using Outlook 2003

Outlook 2003 now allows you to track weather a user is in cache mode or online mode as well as the IP address of the client PC. The WMI class returns an integer indicating weather the client is using cache mode or online so I’ve added a simple function to convert this to a friendly name. The IP address is displayed if possible if not it just shows blank.

With the ADSI query it only shows the visible users in the GAL for that server and ignores any hidden mailboxes. If you wanted to include hidden mailboxes you’ll need to tweak the ADSI.

The WMI query will differ based on the command line parameters you enter in. The rest of the script is pretty straight forward. One thing to note is i haven't tested this with OMA user logging on.(I think it will show them as OWA users)

To run the script use something like cscript displogon.vbs servername ALL

I’ve put a downloadable copy of the script here the code itself looks like

if WScript.Arguments.Count <> 2 then
call DisplayUsage
else
call Main()
end if


sub main()
servername = wscript.arguments(0)
showarg = lcase(wscript.arguments(1))
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
set conn1 = createobject("ADODB.Connection")
strConnString = "Data Provider=NONE; Provider=MSDataShape"
conn1.Open strConnString
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
strDefaultNamingContext = iAdRootDSE.Get("defaultNamingContext")
set objParentRS = createobject("adodb.recordset")
set objChildRS = createobject("adodb.recordset")
strSQL = "SHAPE APPEND" & _
" NEW adVarChar(255) AS ADDisplayName, " & _
" NEW adVarChar(255) AS ADLegacyDN, " & _
" ((SHAPE APPEND " & _
" NEW adVarChar(255) AS WMIDisplayName, " & _
" NEW adVarChar(255) AS WMILegacyDN, " & _
" NEW adVarChar(255) AS WMILoggedOnUserAccount, " & _
" NEW adVarChar(255) AS WMIClientVersion, " & _
" NEW adVarChar(255) AS WMIClientIP, " & _
" NEW adVarChar(255) AS WMIClientMode " & _
")" & _
" RELATE ADLegacyDN TO WMILegacyDN) AS rsADWMI "
objParentRS.LockType = 3
objParentRS.Open strSQL, conn1
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
svcQuery = ""<LDAP://" & strNameingContext & "">;(&(objectCategory=msExchExchangeServer)(cn=" & Servername & "));cn,name,distinguishedName,legacyExchangeDN;subtree"
Com.ActiveConnection = Conn
Com.CommandText = svcQuery
Set Rs = Com.Execute
while not rs.eof
GALQueryFilter = "(&(&(&(& (mailnickname=*)(!msExchHideFromAddressLists=TRUE)(| (&(objectCategory=person)(objectClass=user)(msExchHomeServerName=" & rs.fields("legacyExchangeDN") & ")) )))))"
strQuery = ";" & GALQueryFilter & ";distinguishedName,displayname,legacyExchangeDN,homemdb;subtree"
com.Properties("Page Size") = 100
Com.CommandText = strQuery
Set Rs2 = Com.Execute
while not rs2.eof
objParentRS.addnew
objParentRS("ADDisplayName") = rs2.fields("displayname")
objParentRS("ADLegacyDN") = rs2.fields("legacyExchangeDN")
objParentRS.update
rs2.movenext
wend
wscript.echo "finished 1st AD of Mailbox's"
rs.movenext
wend

strWinMgmts ="winmgmts:{impersonationLevel=impersonate}!//"& servername &"/root/MicrosoftExchangeV2"
Select case showarg
case "owa" sqlstate = "Select * FROM Exchange_Logon where StoreType = 1 and ClientVersion = 'HTTP'"
case "outlook" sqlstate = "Select * FROM Exchange_Logon where StoreType = 1 and ClientVersion <> 'SMTP' AND ClientVersion <> 'OLEDB' AND ClientVersion <> 'HTTP'"
case else sqlstate = "Select * FROM Exchange_Logon where StoreType = 1 and ClientVersion <> 'SMTP' AND ClientVersion <> 'OLEDB'"
end select
Set objWMIExchange = GetObject(strWinMgmts)
Set listExchange_ExchangeLogons = objWMIExchange.ExecQuery(sqlstate,,48)
objChildRS.LockType = 3
Set objChildRS = objParentRS("rsADWMI").Value
For each objExchange_ExchangeLogon in listExchange_ExchangeLogons
if objExchange_ExchangeLogon.LoggedOnUserAccount <> "NT AUTHORITY\SYSTEM" then
objChildRS.addnew
objChildRS("WMIDisplayName") = objExchange_ExchangeLogon.MailboxDisplayName
objChildRS("WMILegacyDN") = objExchange_ExchangeLogon.MailboxLegacyDN
objChildRS("WMILoggedOnUserAccount") = objExchange_ExchangeLogon.LoggedOnUserAccount
objChildRS("WMIClientVersion") = objExchange_ExchangeLogon.ClientVersion
objChildRS("WMIClientIP") = objExchange_ExchangeLogon.ClientIP
objChildRS("WMIClientMode") = objExchange_ExchangeLogon.ClientMode
objChildRS.update
end if
Next
wscript.echo "finished Exchange WMI query"
Wscript.echo "Dislay Results " & showarg
wscript.echo
objParentRS.MoveFirst
Do While Not objParentRS.EOF
Set objChildRS = objParentRS("rsADWMI").Value
objChildRS.sort = "WMILoggedOnUserAccount"
select case showarg
case "all" Wscript.echo objParentRS.fields("ADDisplayName")
if objChildRS.recordcount = 0 then Wscript.echo " " & "Not Logged On"
case "loggedon" if objChildRS.recordcount <> 0 then Wscript.echo objParentRS.fields("ADDisplayName")
case "owa" if objChildRS.recordcount <> 0 then Wscript.echo objParentRS.fields("ADDisplayName")
case "outlook" if objChildRS.recordcount <> 0 then Wscript.echo objParentRS.fields("ADDisplayName")
case "loggedout"if objChildRS.recordcount = 0 then Wscript.echo objParentRS.fields("ADDisplayName")
case else Wscript.echo objParentRS.fields("ADDisplayName")
end select
if showarg <> "loggedout" then
Do While Not objChildRS.EOF
currec = objChildRS.fields("WMILoggedOnUserAccount") & objChildRS.fields("WMIClientVersion") & objChildRS.fields("WMIClientIP") & objChildRS.fields("WMIClientMode")
if currec <> prevrec then
Wscript.echo " " & objChildRS.fields("WMILoggedOnUserAccount") & " " & getversion(objChildRS.fields("WMIClientVersion")) & " " & _
getmode(objChildRS.fields("WMIClientMode")) & " " & objChildRS("WMIClientIP")
end if
prevrec = currec
objChildRS.MoveNext
Loop
end if
objParentRS.MoveNext
Loop

end sub


function getversion(version)

Select case version
case "4.0.994.0" getversion = "Outlook 97 Initial release in Q1/1997."
case "5.0.1457.0" getversion = "Outlook 97 Ships only with Microsoft Exchange 5.0 Service Pack 1"
case "5.0.1458.0" getversion = "Outlook 97 Ships only with Microsoft Office 97 SR-1"
case "5.0.1960.0" getversion = "Outlook 97 Ships only with Microsoft Exchange Server 5.5 and Microsoft Exchange 5.0 Service Pack 2"
case "5.0.2178.0" getversion = "Outlook 98 Initial release in Q1/1998."
case "5.0.2819.0" getversion = "Outlook 2000 Initial release in Q2/1999"
case "5.0.3121.0" getversion = "Outlook 2000 update included with Office 2000 SR1 (and SR1a)"
case "5.0.3136.0" getversion = "Outlook 2000 security update patch"
case "5.0.3144.0" getversion = "Outlook 2000 with Service Pack 2 installed"
case "10.0.0.3311" getversion = "Outlook 2002 with hotifx"
case "8.00.3511" getversion = "Outlook 97 Initial release in Q1/1997."
case "8.01.3817" getversion = "Outlook 97 Ships only with Microsoft Exchange 5.0 Service Pack 1"
case "8.02.4212" getversion = "Outlook 97 Ships only with Microsoft Office 97 SR-1"
case "8.03.4629" getversion = "Outlook 97 Ships only with Microsoft Exchange Server 5.5 and Microsoft Exchange 5.0 Service Pack 2"
case "8.04.5619" getversion = "Outlook 97 Ships only with Microsoft Office 97 SR-2"
case "8.5.5104.6" getversion = "Outlook 98 Initial release in Q1/1998. Is included with the Microsoft Exchange 5.5 Service Pack 1 CD-ROM (not available for download at the Microsoft site)"
case "8.5.5603.0" getversion = "Outlook 98 Microsoft Outlook 98 Security Patch 2 "
case "8.5.7806" getversion = "Outlook 98 Outlook 98 security update"
case "9.0.0.2711" getversion = "Outlook 2000 Initial Release in Q2/1999"
case "9.0.0.3011" getversion = "Outlook 2000 Microsoft Office 2000 Developer Edition released in Q3/1999"
case "9.0.0.3821" getversion = "Outlook 2000 update included with Office 2000 SR1 (and SR1a)"
case "9.0.0.4201" getversion = "Outlook 2000 security update patch installed."
case "9.0.0.4527" getversion = "Outlook 2000 with Service Pack 2 installed"
case "9.0.0.6673" getversion = "Outlook 2000 - SP3"
case "10.0.0.2625" getversion = "Outlook 2002 Initial release in Q1/2001."
case "10.0.0.2627" getversion = "Outlook 2002 Initial release in Q1/2001."
case "10.0.0.3513" getversion = "Outlook 2002 with Service Pack 1"
case "10.0.0.3501" getversion = "Outlook 2002 with Service Pack 1"
case "10.0.0.4115" getversion = "Outlook 2002 with Service Pack 2"
case "10.0.0.3416" getversion = "Outlook 2002 with Service Pack 1"
case "10.0.0.4219" getversion = "Outlook 2002 with Service Pack 2"
case "10.0.0.6515" getversion = "Outlook 2002 with Service Pack 3"
case "10.0.0.6626" getversion = "Outlook 2002 with Service Pack 3"
case "11.0.5604.0" getversion = "Outlook 2003 Initial release Oct. 2003 RTM Build"
case "11.0.5606.0" getversion = "Outlook 2003 Initial release Oct. 2003 RTM Build"
case "11.0.5608.0" getversion = "Outlook 2003 Initial release Oct. 2003 RTM Build"
case "11.0.5703.0" getversion = "Outlook 2003 with critical update releases on 11.4.2003"
case "11.0.6353.0" getversion = "Outlook 2003 SP1, released August 2003. "
case "11.0.6352.0" getversion = "Outlook 2003 SP1, released August 2003. "
case "HTTP" getversion = "Outlook Web Access"
case else getversion = version
end select

end function

function getmode(clientmode)
select case clientmode
case 1 getmode = "Classic Online"
case 2 getmode = "Cached Mode"
case else getmode = " "
end select
end function

public sub DisplayUsage
WScript.echo "usage: cscript displogon.vbs "
WScript.echo "Vaid Modes"
WScript.echo " OWA - Show user logged on via Outlook Web Access"
WScript.echo " Outlook -Show users logged on via Outlook"
WScript.echo " Loggedon -Show All logged on Users"
WScript.echo " Loggedout -Show Users not Logged On"
WScript.echo " ALL -Show all users Logged in and Out"
end sub

Popular posts from this blog

Testing and Sending email via SMTP using Opportunistic TLS and oAuth in Office365 with PowerShell

As well as EWS and Remote PowerShell (RPS) other mail protocols POP3, IMAP and SMTP have had OAuth authentication enabled in Exchange Online (Official announcement here ). A while ago I created  this script that used Opportunistic TLS to perform a Telnet style test against a SMTP server using SMTP AUTH. Now that oAuth authentication has been enabled in office365 I've updated this script to be able to use oAuth instead of SMTP Auth to test against Office365. I've also included a function to actually send a Message. Token Acquisition  To Send a Mail using oAuth you first need to get an Access token from Azure AD there are plenty of ways of doing this in PowerShell. You could use a library like MSAL or ADAL (just google your favoured method) or use a library less approach which I've included with this script . Whatever way you do this you need to make sure that your application registration  https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-

How to test SMTP using Opportunistic TLS with Powershell and grab the public certificate a SMTP server is using

Most email services these day employ Opportunistic TLS when trying to send Messages which means that wherever possible the Messages will be encrypted rather then the plain text legacy of SMTP.  This method was defined in RFC 3207 "SMTP Service Extension for Secure SMTP over Transport Layer Security" and  there's a quite a good explanation of Opportunistic TLS on Wikipedia  https://en.wikipedia.org/wiki/Opportunistic_TLS .  This is used for both Server to Server (eg MTA to MTA) and Client to server (Eg a Message client like Outlook which acts as a MSA) the later being generally Authenticated. Basically it allows you to have a normal plain text SMTP conversation that is then upgraded to TLS using the STARTTLS verb. Not all servers will support this verb so if its not supported then a message is just sent as Plain text. TLS relies on PKI certificates and the administrative issue s that come around certificate management like expired certificates which is why I wrote th

The MailboxConcurrency limit and using Batching in the Microsoft Graph API

If your getting an error such as Application is over its MailboxConcurrency limit while using the Microsoft Graph API this post may help you understand why. Background   The Mailbox  concurrency limit when your using the Graph API is 4 as per https://docs.microsoft.com/en-us/graph/throttling#outlook-service-limits . This is evaluated for each app ID and mailbox combination so this means you can have different apps running under the same credentials and the poor behavior of one won't cause the other to be throttled. If you compared that to EWS you could have up to 27 concurrent connections but they are shared across all apps on a first come first served basis. Batching Batching in the Graph API is a way of combining multiple requests into a single HTTP request. Batching in the Exchange Mail API's EWS and MAPI has been around for a long time and its common, for email Apps to process large numbers of smaller items for a variety of reasons.  Batching in the Graph is limited to a m
All sample scripts and source code is provided by for illustrative purposes only. All examples are untested in different environments and therefore, I cannot guarantee or imply reliability, serviceability, or function of these programs.

All code contained herein is provided to you "AS IS" without any warranties of any kind. The implied warranties of non-infringement, merchantability and fitness for a particular purpose are expressly disclaimed.