IS Decisions logo

IS Decisions Blog

Active Directory user login history: How to audit all successful and failed logon attempts

How to get a centralized and searchable audit on all active directory user login history. Obtain the events needed to avoid an event log tsunami.

Published December 7, 2017
Session history

The ability to collect, manage, and analyze logs of login events has always been a good source of troubleshooting and diagnostic information. Logons are the one common activity across nearly all attack patterns. They provide one of the clearest indicators of compromise to help protect company data and thwart attacks. The need to provide a centralized and searchable audit on all active directory user login history is also a mandatory component of many security standards and governance policies.

UserLock means you can be sure to quickly obtain the audit events needed and avoid an event log tsunami:

  1. All access events on all machines and devices, across all different session types (Interactive, Wi-Fi, VPN, IIS, and SaaS) are saved in real-time within a database to provide a central audit across the network.

  2. Powerful filtering and search allow you to focus only on insightful information.

  3. UserLock is sufficiently scalable, meaning it works the same whether you have 100 or 100,000 users.

  4. UserLock is tamper-proof. Unlike the ease of wiping logs in native Active Directory. With UserLock, all administrator activity is stringently audited and securely archived.

  5. Installation of UserLock takes minutes and can be done on any server member of the domain. There is no requirement to use a Domain Controller Server.

  6. UserLock is a non disruptive technology that won’t frustrate you. As a client server application it works alongside Active Directory to extend, not replace security. No modifications are made to Active Directory or its schema.

What’s more, UserLock can set-up multi-factor authentication for all Active Directory user logins. Compatible with both authenticator applications and hardware keys such as YubiKey or Token2, UserLock further protects every login to the network across the entire organization.

Comprehensive reports on every session access event

When it comes to a full history of all domain user login behavior, UserLock collects a wide range of event parameters per each domain account. Each of these parameters can be added to reports and filtered on to generate your own historical report. All successful and failed logon attempts can be included. The reason for rejected logons by both Active Directory and UserLock’s own restrictions are also detailed.

Privileged users can also be closely monitored. A full history of all system and admin user logins helps protects both the organisation and the admin. For example, if ever there were an incident, the admin could easily demonstrate that it was not him or her that used the admin account or service account to access data or system.

All Active Directory user session history

Reports are easy to configure in the UserLock console

Common report filters include time parameters, which are especially important in terms of readability of the report. You can also audit the logs per specific entities, other than users. For example, by group or OU. You can also choose to report on an archived database by changing the database target source.

Schedule reports

A full report history of all login connections for a user and/or for a machine can also be easily scheduled to be sent directly to your mailbox. This is especially useful if you need to regularly review a report, for example the session history of the past week.

New predefined reports on specific types of logins and login attempts

Report on all domain users with simultaneous sessions opened within a given day.

Report concurrent logins history

Report on all session history to Microsoft IIS Servers (E.g. web apps such as Outlook Web Access).

Report IIS login activity

Report on all access attempts rejected by Active Directory. This includes multiple logon failure attempts.

Report login attempts active directory user

Support forensics and improve compliance with UserLock

UserLock’s centralized audit on all network login events allows you to easily generate detailed reports to track down security threats, support forensics and prove regulatory compliance.

But UserLock does not stop at auditing. The login is the most compelling point at which to both monitor as well as stop potentially inappropriate access from ever happening.

Through real-time monitoring and access alerts, you can add another layer to your security strategy – detection, and through UserLock’s multi-factor authentication and contextual logon restrictions (time of day, which machines, how many concurrent logins, etc.) you can prevent inappropriate use of credentials and shift the model to one of prevention.

Try UserLock for free

  • 30-day trial
  • Full technical support
  • No credit card required
UserLock screenshot