When planning for the future, customers often want to know how many unique users are actually using their Citrix environment(s).
If a customer is using the User/Device licensing model, then the customer can begin by running C:\Program Files (x86)\Citrix\Licensing\LS\udadmin –list from the command line of the Citrix License Server, based on Citrix Documentation: License administration commands.
For customers who cannot use this option, such as customers who have concurrent or mixed licensing models, customers who have multiple sites/farms, or customers who want to define a specific time period to monitor users, this blog provides the steps for an organization to determine exactly how many users accessed a Citrix environment during a specified period of time.
Security Logs are a great place to find login/authentication information. As users must go through a web server to access a XenApp/XenDesktop session, the Security Logs on a StoreFront/Web Interface server provide details on each user who logs into a Citrix environment. Specifically, Event ID 4624 specifies when a successful logon occurs, according to Microsoft Support: Description of security events in Windows 7 and in Windows Server 2008 R2.
Thus, by viewing the Properties of Event ID 4624 on the Security Logs of the web servers, administrators can view account names that successfully accessed a Citrix environment. Organizing multiple logins from multiple web servers, however, requires exporting the Security Logs into a customizable spreadsheet tool such as Microsoft Excel.
Unfortunately, saving Event Logs as a .csv file, or opening the file directly in Excel, does not produce all of the necessary information from the Event Viewer, including account names. A workaround to getting the account names from the Security Logs into Excel is to save the Logs as a text file, copy the data to Microsoft Word, and then recopy the data to Excel. These steps are described in detail below.
Note: Before attempting the steps below, determine the period of time to evaluate users (i.e. August 1, 2015 to August 5, 2015) and the StoreFront/Web Interface servers that allow users to access Citrix (i.e. WebInterface1, WebInterface2, StoreFront1, StoreFront2). Microsoft Word and Excel are also required to complete the exercise below.
1. Navigate to the Event Viewer for a Citrix web server in the environment and follow the steps below to obtain the logs that show account logins:
- Filter the Security Log for the period of time to scan under Custom Range (i.e. August 1, 2015 to August 5, 2015)
- Input the Event ID as 4624
- Search for Keywords matching Audit Success
Note: For large environments, the Custom Range field may need to be split into smaller logs (i.e. one log for August 1, 2015 to August 2, 2015 and a second log for August 3, 2015 to August 5, 2015).
2. Save the log as a text file (i.e. WebInterface1.txt) and complete the steps below to get the necessary data to Microsoft Excel:
- Open the text file (i.e. WebInterface1.txt) with Notepad
- Copy all of the data from Notepad and paste in a blank Microsoft Word document
- Copy all of the data from Microsoft Word and paste in a blank Microsoft Excel sheet
Note: If all of the data does not fit on one page of Microsoft Excel, copy a subsection of the data from Microsoft Word into a Microsoft Excel sheet. Then, copy another subsection of Microsoft Word into another Microsoft Excel sheet. Continue until all of the data from Microsoft Word is input into Microsoft Excel.
3. From Microsoft Excel complete the following steps to remove unnecessary data:
- Delete Rows 1-3
- Delete Column C
- Delete Column A
4. Highlight all of the data in Columns A and B and then click Filter to filter Column A by Account Name:
5. Copy the account names (Column B) to a new worksheet in Column A.
Note: When repeating Step 5 for other web servers, please paste the copied account names into this worksheet. Do not create separate worksheets for each web server.
6. Repeat Steps 1-5 for each Citrix web server in the environment.
7. Highlight Column A and Remove Duplicates to remove users who logged in multiple times.
8. View users who accessed Citrix (i.e. 5 users).
Note: Review the list of users to ensure that no computers accounts are listed.
Additionally, I would like to thank the following people for their contributions: Nick Rintalan, Andy Winiarski, Dan Ruggiero, and Lee Milam.
Until next time,
Citrix Lead Sales Engineer