---
title: "Manage Windows user sessions and monitor Windows Active Directory user logon events"
description: "Monitor, alert and respond in real time to all user logon events in Windows Active Directory with Windows session management."
locale: "en"
updated_at: "2025-12-04T11:12:45.323Z"
canonical: "https://www.isdecisions.com/en/userlock/features/monitor-active-directory-user-logon-logoff"
---

# Manage Windows  user sessions

Monitor, alert, and respond in real time to all user logon events in Windows Active Directory (AD) at a granular level.

- Get instant visibility into all Active Directory network access
- Track user logon activities and quickly spot risks
- Set up automatic alerts and responses to block threats
- Interact remotely with any user session from the UserLock console

## Get granular Windows session management with UserLock

#### Monitor user logons in real-time

Get instant visibility on who is accessing your network, how, and when. Monitor all session types, including: Remote Desktop, VPN, IIS, cloud, and Wi-Fi.

#### React to threats immediately

With one-click session block, interact remotely with any windows session, and warn users of suspicious events. You can also run scripts to automate responses.

#### Set up custom alerts

Get email or pop-up notifications on suspicious user activity.

#### Access session logs and reports

Track easily user activities and investigate security risks.

## Real-time Windows logon monitoring

Monitor user logons in real-time and get instant visibility into who is accessing  your network.

View all user session activity, easily view specific sessions and **track who is  connected, from where, and since** when thanks to powerful filters.

## Choose how to view Windows session information

[Learn more about UserLock’s user session views](/userlock/docs/reference/activity)

#### By connected user

- User details
- Last logoff
- Opened sessions
- And more

#### By machine in use

- Machine details
- Opened sessions
- Computer localization
- And more

## Spot and respond to Active Directory session risks quickly thanks to the risk indicator

Easily spot and respond to risks thanks to a risk indicator highlighting suspicious logon connections.

#### High risk

- Simultaneous connections from inside and outside the local network
- Frequency of denied logons exceeds a defined limit

#### Risk

- A new session is opened from an existing session with different credentials
- An attempt to open a session for an account that is locked and/or disabled in Active Directory

#### Unprotected

- A user account without the protection of UserLock’s logon control policies - and are not eligible for another risk status

#### New user

- Any new user account or a dormant account with new activity. What defines a dormant account can be customized to suit own needs

#### Inactive user

- A user account without any open sessions known by UserLock, after a certain time period (customized) in days

## Why choose UserLock’s Windows user session management

### Enhance security

Know who is logging in and when. Monitor Windows user logons in real-time to detect suspicious activities and prevent unauthorized access with granular session control policies.

### Get comprehensive visibility

See all AD user sessions and track user activities, logon times, and more.

### Control sessions remotely

Get automatic alerts and instantly respond  to potential threats. Interact remotely  with any Windows session, and warn  users of suspicious events.

## Get instant alerts on Windows user activity for IT and end users

Define active alerts for any user, group or OU  based on suspicious activity.

- Failed logon attempts
- Attempts to logon to default accounts
- Activity during non-working hours

Send alerts to one or more recipients via email or as a pop-up notification.

## Respond instantly to Windows user activity alerts

React in real-time, either directly in response to alerts or automatically. An immediate response helps reduce the risk of a security breach. Choose from a variety of ways to set up automatic, instant responses to alerts (and free up your IT team to focus on moving your business forward).

### Block user sessions with one click

Review and immediately block any suspect user accounts with just one click. This denies all further logon attempts and closes any existing sessions.

#### Remote session response

Interact remotely with any session,  open or locked, to log off users, lock or reset appropriate settings.

#### Webhooks

Integrate UserLock’s comprehensive logon data into countless other applications.

#### PowerShell integration

Expedite certain tasks and run scripts thanks to UserLock PowerShell cmdlets.

## Combine session management with context-based user access restrictions and MFA

For optimal security, use session management alongside UserLock's powerful authentication and contextual access management capabilities.

#### Multi-factor authentication (MFA)

Add an extra layer of security beyond credentials to secure the initial point of access, the logon.

#### Single sign-on (SSO)

Combine SSO with MFA to quickly, securely offer access across a hybrid environment.

#### Contextual access management

Set context-based restrictions to authorize, deny, or limit how a user can access the network.
