Active Directory User Login History – Audit all Successful and Failed Logon Attempts

report session history

The ability to collect, manage, and analyze logs of login events has always been a good source of troubleshooting and diagnostic information. Logons are the one common activity across nearly all attack patterns. They provide one of the clearest indicators of compromise to help protect company data and thwart attacks. The need to provide a centralized and searchable audit on all active directory user login history is also a mandatory component of many security standards and governance policies.

UserLock means you can be sure to quickly obtain the audit events needed and avoid an event log tsunami:

  1. All access events (from both Windows and Mac Users) on all machines and devices, across all different session types (Interactive, Wi-Fi, VPN and IIS) are saved in real-time within a database to provide a central audit across the network.
  2. Powerful filtering and search allow you to focus only on insightful information.
  3. UserLock is sufficiently scalable, meaning it works the same whether you have 100 or 100,000 users.
  4. UserLock is tamper-proof – unlike the ease of wiping logs in native Active Directory. With UserLock, all administrator activity is stringently audited and securely archived.
  5. Installation of UserLock takes minutes and can be done on any server member of the domain. There is no requirement to use a Domain Controller Server.
  6. UserLock is a non disruptive technology that won’t frustrate you. As a client server application it works alongside Active Directory to extend, not replace security. No modifications are made to Active Directory or its schema.

What’s more, UserLock can set-up multi-factor authentication for all Active Directory user logins. Compatible with both authenticator applications and hardware keys such as YubiKey or Token2, UserLock further protects every login to the network across the entire organization.

Download a free fully functional 30-Day trial of UserLock.   


Comprehensive reports on every session access event

When it comes to a full history of all domain user login behavior, UserLock collects a wide range of event parameters per each domain account. Each of these parameters can be added to reports and filtered on to generate your own historical report. All successful and failed logon attempts can be included. The reason for rejected logons by both Active Directory and UserLock’s own restrictions are also detailed.

Privileged users can also be closely monitored. A full history of all system and admin user logins helps protects both the organisation and the admin. For example, if ever there were an incident, the admin could easily demonstrate that it was not him or her that used the admin account or service account to access data or system.


All Active Directory User Session History:

userlock active directory user login history


Reports are configured easily in the UserLock console.

Common report filters include time parameters – especially important in terms of readability of the report. You can also audit the logs per specific entities – other than users – for example by group or OU. You can also choose to report on an archived database by changing the database target source.

active directory user login history configuration report


Schedule reports

A full report history of all login connections for a user and/or for a machine can also be easily scheduled to be sent directly to your mailbox. This is especially useful if you need to regularly review a report, for example the session history of the past week.


New predefined reports on specific types of logins and login attempts.

Report on all domain users with simultaneous sessions opened within a given day:

report concurrent logins history


Report on all session history to Microsoft IIS Servers (E.g. web apps such as Outlook Web Access):

report iis login activity


Report on all access attempts rejected by Active Directory. This includes multiple logon failure attempts:

report login attempts active directory user


UserLock’s centralized audit on all network login events allows you to easily generate detailed reports to track down security threats, support forensics and prove regulatory compliance.

But UserLock does not stop at auditing. The login is the most compelling point at which to both monitor as well as stop potentially inappropriate access from ever happening.

Through real-time monitoring and access alerts, you can add another layer to your security strategy – detection, and through UserLock’s multi-factor authentication and contextual logon restrictions (time of day, which machines, how many concurrent logins, etc.) you can prevent inappropriate use of credentials and shift the model to one of prevention.

Find out for yourself with a free fully functional 30-Day trial of UserLock.   


“Logging is refreshingly clear and easy to understand.” Read the review on UserLock

“The attention to detail can be seen in the built-in reporting mechanism” Read the review on UserLock

Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.

Secured By miniOrange