IS Decisions logo

IS Decisions Blog

Monitor user activity on Windows server networks

To effectively monitor user activity across a Windows Server Network, you need the access controls, real-time insight & alerts to respond to inappropriate activity

Published October 10, 2014
Monitor user activity on Windows server networks

Monitoring user activity across a Windows Server-based network is key to knowing what is going on in your Windows environment. User activity monitoring is vital in helping mitigate increasing insider threats, implement CERT best practices and get compliant.

However, it is important to stress that without multi-factor authentication, enhanced user access controls or the ability to filter and alert on specific access events, the monitoring has limited use. This post outlines how UserLock (a unique enterprise solution) can provide organizations with the controls, insight, and response that is needed to effectively monitor a Windows network user activity.

Monitor user activity in real-time

Monitor user activity in real-time

UserLock extends the way a user’s access is verified with multi-factor authentication and layers of additional security controls and restrictions (location, time, stopping concurrent sessions). With multi-factor authentication in place, and restrictions set, UserLock monitors and records all login and session events, across all session types (workstation, terminal, interactive, Internet Information Services (IIS), Wi-Fi and VPN), in real-time. It provides a log of access information and detailed insights on who is connected, from which system(s), since what time, for how long (etc).

  • Server reports (pictured above) present this real-time information to give an instant overview of user activity. Database reporting uses this real-time data to generate reports based on a particular time range.

  • Predefined reports include session history (detailed connection list: logon, lock, unlock, logoff instances, users, domains, workstations, etc.), and session statistics (total login, total connection time and average time per session for a given user and period).

The Configuration Section groups the specific criteria available for a selected report:

User session activity configuration report

Detect and evaluate users’ suspicious logon activity

User status to evaluate logon activity

By correlating each user’s access events with their customized access controls, UserLock’s real-time monitoring includes the User Status to help administrators better detect and evaluate suspicious network access behavior at a glance.

The status assigned to each user evolves according to the user’s activity when accessing or attempting to access the network. Activity deemed as risk or high risk is clearly flagged, alerting administrators in real-time about inappropriate or unusual logon activities. The settings can be adapted to meet the needs of the organization.

Get alert and respond when monitoring logon activity

Alerts when monitoring user activity

As soon as any suspicious access event is detected (e.g. failed logon attempts, attempts to log on to default accounts, activity during nonworking hours…), UserLock automatically alerts the administrator (pop-ups or email), offering IT the chance to instantly react by remotely locking, logging off or resetting the appropriate settings.

Warn users to activity from compromised credentials

User alert compromised password activity

Warn users in real-time of all connection events involving their credentials. Many breaches initiated through phishing and other social engineering are carried out by acquiring and misusing a users credentials to secured systems. To help users protect the access (and resources) that are entrusted to them this real-time alert allows users to assess for themselves the situation and inform their IT department to action any fraudulent activity.

Monitor user activity from anywhere with UserLock

UserLock makes it easy for the entire IT team to manage user activity. Using the UserLock desktop console and the UserLock web app, IT can access and manage user sessions from any computer.


With UserLock we have an effective network access management tool. It has helped simplify IT’s work by reducing between 70 and 90% the time spent monitoring and auditing network access of all users.”

Antonio Fernandes S. Oliveira, Network Manager, Pernambuco State Traffic Department, Brazil

Read the full case study

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial