Monitor user activity on Windows Server Network

Monitor user activity across a Windows Server-based network is key to knowing what is going on in your Windows environment. User activity monitoring is vital in helping mitigate increasing insider threats, implement CERT best practices and get compliant.

However, it is important to stress that without multi-factor authentication, enhanced user access controls or the ability to filter and alert on specific access events, the monitoring has limited use. This post outlines how UserLock (a unique enterprise solution) can provide organizations with the controls, insight, and response that is needed to effectively monitor a Windows network user activity.

Monitor user activity in real-time

monitor user activity realtime

UserLock extends the way a user’s access is verified with multi-factor authentication and layers of additional security controls and restrictions (location, time, stopping concurrent sessions). With multi-factor authentication in place, and restrictions set, UserLock monitors and records all login and session events, across all session types (workstation, terminal, interactive, Internet Information Services (IIS), Wi-Fi and VPN), in real-time. It provides a log of access information and detailed insights on who is connected, from which system(s), since what time, for how long (etc).

  • Server reports (pictured above) present this real-time information to give an instant overview of user activity. Database reporting uses this real-time data to generate reports based on a particular time range.
  • Predefined reports include session history (detailed connection list: logon, lock, unlock, logoff instances, users, domains, workstations, etc…), and session statistics (total login, total connection time and average time per session for a given user and period).

The ‘Configuration Section’ groups the specific criteria available for a selected report:

user session activity configuration report

Detect & evaluate users’ suspicious logon Activity

user-status to evaluate logon activity

risk indicator inappropriate network access

By correlating each user’s access events with their customized access controls, UserLock’s real-time monitoring includes a ‘User Status‘ to help administrators better detect and evaluate suspicious network access behavior at a glance.

The status assigned to each user evolves according to the user’s activity when accessing or attempting to access the network. Activity deemed as risk or high risk is clearly flagged, alerting administrators in real-time about inappropriate or unusual logon activities. The settings can be adapted to meet the needs of the organization.

Alerts & response when monitoring logon activity


As soon as any suspicious access event is detected (e.g. failed logon attempts, attempts to log on to default accounts, activity during nonworking hours…), UserLock automatically alerts the administrator (pop-ups or email), offering IT the chance to instantly react by remotely locking, logging off or resetting the appropriate settings.

Warn users to activity from compromised credentials

user alert compromised password activity

Warn users in real-time of all connection events involving their credentials. Many breaches initiated through phishing and other social engineering are carried out by acquiring and misusing a users credentials to secured systems. To help users protect the access (and resources) that are entrusted to them this real-time alert allows users to assess for themselves the situation and inform their IT department to action any fraudulent activity.

Monitor user activity remotely

remotely monitor user activity

The remote session administration design allows facilitation from any device, so administrators can still respond rapidly on the move using a smartphone, tablet or computer.

monitor user activity case study

With UserLock we have an effective network access management tool. It has helped simplify IT’s work by reducing between 70 and 90% the time spent monitoring and auditing network access of all users.”

Antonio Fernandes S. Oliveira, Network Manager, Pernambuco State Traffic Department, Brazil

Read the full case study here

A Free Fully Functional 30 Day UserLock Trial

UserLock is a unique enterprise solution that strengthens the defenses against internal security breaches. With restrictions set UserLock empowers IT to monitor, record and prevent inappropriate or suspicious user access activity.

Easy to deploy, UserLock is installed in minutes on a standard Windows Server.

Download now the fully functional FREE trial and see how UserLock can help you control and monitor user activity far beyond native Windows features.

Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.

Secured By miniOrange