Audit and report on active directory user logon events

UserLock records and reports on all user connection events to provide a central audit across the whole network — far beyond what Microsoft includes in Windows Server and Active Directory auditing.

Download Read more

Windows AD User Login History A comprehensive audit for accurate insights

UserLock records and reports on every user connection event and logon attempt to a Windows domain network.

Report

Connection event type

........................................

...............

Logon, Logoff, Lock/Disconnection, Unlock/Reconnection, Logon Denied.

Session Type

...............................................

.........

Workstation, Terminal, Total Interactive, Wi-Fi, VPN, IIS.

The user

..............................................

....

Domain Name, User Name.

The source

.........................

............

Workstation Name, Machine or Device Name, IP Address, Port Name, Server Name.

The time

..............................

..............

Logon time, Logoff time, Lock time, Unlock time, Time Logon Denied, Total Session Time.

Read more on how UserLock collects audited data

Try UserLock — Free trial now

"UserLock provides detailed reports at a level that can be used to track down security threats, support forensic and legal investigations and prove regulatory compliance."

OVUM Analyst Review OVUM Analyst Review

Logon activity Audit all session history

  • Logon/Logoff activity on Interactive Sessions All workstation and terminal session activity.
  • Logon/Logoff activity on Wi-Fi Sessions All wireless network activity.
  • Logon/Logoff activity on VPN Sessions All remote access VPN connection activity.
  • Logon/Logoff activity on IIS Sessions All session activity on Microsoft IIS Servers (E.g. Web apps such as Outlook Web Access).
  • Logon/Logoff activity by User, Group or OU All activity (Logon time, Logoff time, Logon Duration, Session Type…) for one or many users.
  • Last Logon Logoff Report Review date and times across all session types.
  • Machine Activity Report All activity (Logon time, Logoff time, Logon Duration, Number of sessions, Last session…) from a shared machine.

08:27 AM

Logon Workstation Session Claire CARTER WKS061  -  10.1.2.65

08:31 AM

Logon IIS Session Jimmy CROSS WKS067  -  10.1.2.74

08:35 AM

Logon WI-FI Session Liang KO WKS041  -  10.1.74.103

09:00 AM

Total session count is now 917

09:28 AM

Terminal Session Logon Claire CARTER VES1/WKS061  -  10.1.2.65

09:52 AM

Logon VPN Session Robyn WELDO WKS093  -  95.172.82.05

09:52 AM

Last Logon Report - Finance Group 15 users from The Finance Group are now logged on

10:03 AM

Lock Workstation Session Ubwa FREY WKS070  -  10.1.2.75

10:21 AM

Logoff IIS Session Total duration time of 2hrs 08mins
Jimmy CROSS WKS067  -  10.1.2.74

 

Audit all denied and suspicious access

  • Concurrent Session Report All domain users with simultaneous sessions opened.
  • Logon Denied by Windows All access rejected by Windows – includes multiple logon failure attempts.
  • Logon Denied by UserLock Contextual restrictions to help verify authenticated users identity. Access rejected due to an unauthorized: Machine or IP address Session type Timeframe or Quota Number of concurrent sessions Number of initial access points

05:03 PM

Permitted to a single point of entry Workstation Logon denied by UserLock restriction Liang KO WKS055  -  10.1.2.09

05:08 PM

Multiple logon failure attempts Workstation Logon denied by Windows Namie MAEKAWA WKS012  -  10.1.45.101

05:41 PM

Unauthorized Session Type Wi-Fi Session Logon denied by UserLock restriction Thomas LEACH WKS001  -  10.1.2.42

05:59 PM

Deny Concurrent Sessions Workstation Logon denied by UserLock restriction Ajeya SINGH WKS056  -  10.1.2.50

06:12 PM

Unauthorized machine VPN Logon denied by UserLock restriction Carrie RHODES WKS047  -  95.1.32.55

07:55 PM

Unauthorized working hours Workstation Logon denied by UserLock restriction Todd DAVIS WKS099  -  10.1.2.33

Use case example

Active Directory User Login History

Get and schedule a report on all access connection for an AD user. Trace all activity on any account to an individual user – the complete history of logon of any user in the domain.

Read more Watch video

Help Net Security « The attention to detail that IS Decisions has shown when planning the account logon rules can also be seen in the built-in reporting mechanism. The software collects a wide range of usage patterns per each user account and you can generate a report based on every one of these parameters. »

Read the HelpNet Security Review

Auditingfor regulatory compliance

Accurate information about who was connected, from which system(s), at what time and for how long they were active is necessary for compliance with major regulations. Learn more about logon auditing needs for PCI DSS, ISO 27001, NIST 800-53, SOX and HIPAA.

Custom reportsMakes analysis easy

UserLock records all access events into an ODBC database for reporting. Filter and sort the audit to show only the most pertinent results for your organization. Choose to schedule and view reports directly from the console, send reports to specified mailboxes or print and export in several file formats.

"UserLock has helped simplify IT’s work by reducing between 70 to 90% the time spent monitoring and auditing network access for all users."

Antônio Fernandes S. Oliveira Network Manager - Pernambuco State Traffic Department Read the full Case Study

User logon auditing Far beyond native Windows Active Directory

Native audit logs are difficult to understand and too cumbersome to manually audit. They show hundreds of logon and logoff events for the same user throughout the day.

Only critical informationUserLock is optimized to keep only relevant access events.

Accurate reportingNo real logon/logoff reporting in native server logs. Read more here

Powerful filtering and searchUserLock excludes irrelevant data and focuses only on insightful information.

Centralizes auditingUserLock makes it easy for network-wide auditing.

ScalableUserLock works the same whether you have 100 or 100,000 users.

Tamper-ProofWith UserLock, all administrators activity is stringently audited and securely archived. Read more here

Auditing alone isn’t enough for organizations serious about protecting access to their network. As a micro client server application, UserLock can also go far beyond auditing:

  • Monitor in real-time all access events to alert on and react to suspicious access. Read more here.
  • Enforce logon controls to better protect against unauthorized access. Read more here.
  • Eliminate unmanaged concurrent logins to accurately identify a user and make them accountable for any malicious activity. Read more here.

"The reality is simple: If you suspect that your network has been compromised, the built-in tools provided by Microsoft aren’t going to be much help. Trying to find the culprit using Event Viewer is like looking for a needle in a haystack."

Windows IT Pro Magazine Windows IT Pro Magazine

Download UserLock

VersionSupported systems
Windows XP | Windows Server 2003 | Windows Vista | Windows Server 2008 | Windows 7 | Windows Server 2008 R2 | Windows 8 | Windows server 2012 | Windows 8.1 | Windows Server 2012 R2 | Windows 10 (64 bits computers included) | Windows Server 2016

Demo restriction : 30-day full version with no user limits

Scroll to top