Audit Active Directory user logon events

Record all Windows user logon events with a centralized, filterable audit across your Active Directory network.

  • Get accurate insights
  • Meet compliance requirements
Start a free trial Book a Demo
Audit and report

Audit all Active Directory user logon activities

Now, you can record and report on every user connection event and logon attempt to a Windows domain network with UserLock.

Audit Active Directory user login history

Powerful filters allow you to report on exactly the information you need, including:

  • User logon events
  • All user session history
  • Administrator actions
  • Need something else? Set up custom reports.
UserLock Report

Connection event type



Logon, Logoff, Lock/Disconnection, Unlock/Reconnection, Logon Denied.

Session Type



Workstation, Terminal, Total Interactive, Wi-Fi, VPN, IIS.

The user



Domain Name, User Name.

The source



Workstation Name, Machine or Device Name, IP Address, Port Name, Server Name.

The time



Logon time, Logoff time, Lock time, Unlock time, Time Logon Denied, Total Session Time.

Read more on how UserLock collects audited data

"UserLock has helped simplify IT’s work by reducing between 70 to 90% the time spent monitoring and auditing network access for all users."

Antônio Fernandes S. Oliveira Network Manager - Pernambuco State Traffic Department Read the full Case Study

User login activity Audit all session history

  • Logon/Logoff activity on Interactive Sessions All workstation and terminal session activity.
  • Logon/Logoff activity on Wi-Fi Sessions All wireless network activity.
  • Logon/Logoff activity on VPN Sessions All remote access VPN connection activity.
  • Logon/Logoff activity on IIS Sessions All session activity on Microsoft IIS Servers (E.g. Web apps such as Outlook Web Access).
  • Logon/Logoff activity by User, Group or OU All activity (Logon time, Logoff time, Logon Duration, Session Type…) for one or many users.
  • Last Logon Logoff Report Review date and times across all session types.
  • Machine Activity Report All activity (Logon time, Logoff time, Logon Duration, Number of sessions, Last session…) from a shared machine.

08:27 AM

Logon Workstation Session Claire CARTER WKS061  -

08:31 AM

Logon IIS Session Jimmy CROSS WKS067  -

08:35 AM

Logon WI-FI Session Liang KO WKS041  -

09:00 AM

Total session count is now 917

09:28 AM

Terminal Session Logon Claire CARTER VES1/WKS061  -

09:52 AM

Logon VPN Session Robyn WELDO WKS093  -

09:52 AM

Last Logon Report - Finance Group 15 users from The Finance Group are now logged on

10:03 AM

Lock Workstation Session Ubwa FREY WKS070  -

10:21 AM

Logoff IIS Session Total duration time of 1hr 50mins
Jimmy CROSS WKS067  -


Audit all denied and suspicious access

  • Concurrent Session Report All domain users with simultaneous sessions opened.
  • Logon Denied by Windows All access rejected by Windows – includes multiple logon failure attempts.
  • Logon Denied by UserLock Contextual restrictions to help verify authenticated users identity. Access rejected due to an unauthorized: Machine or IP address Session type Timeframe or Quota Number of concurrent sessions Number of initial access points

05:03 PM

Permitted to a single point of entry Workstation Logon denied by UserLock restriction Liang KO WKS055  -

05:08 PM

Multiple logon failure attempts Workstation Logon denied by Windows Namie MAEKAWA WKS012  -

05:41 PM

Unauthorized Session Type Wi-Fi Session Logon denied by UserLock restriction Thomas LEACH WKS001  -

05:59 PM

Deny Concurrent Sessions Workstation Logon denied by UserLock restriction Ajeya SINGH WKS056  -

06:12 PM

Unauthorized machine VPN Logon denied by UserLock restriction Carrie RHODES WKS047  -

07:55 PM

Unauthorized working hours Workstation Logon denied by UserLock restriction Todd DAVIS WKS099  -

"UserLock provides detailed reports at a level that can be used to track down security threats, support forensic and legal investigations and prove regulatory compliance."

OVUM Analyst Review OVUM Analyst Review

Go beyond Native Windows user login history auditing

Native Windows audit logs are hard to understand and take time to manually audit. Plus, they show hundreds of user logon / logoff events for the same user throughout the day.

UserLock allows you to check Windows user login history with:

Only critical information

Audit only relevant user access events, meaning you get rid of the noise.

Accurate reporting

True real logon / logoff reporting, unlike native Windows server logs. Read more here

Powerful filtering and search

Exclude irrelevant data and focuses only on actionable, relevant information.

Centralized auditing

Easily accomplish network-wide auditing.


Audit easily, whether you have 100 or 100,000 Active Directory users.

Tamper-proof data

Audit and securely archive all Active Directory administrator activity. Read more here

Auditing alone isn’t enough for organizations serious about protecting access to their network. As a micro client server application, UserLock can also go far beyond auditing:

  • Apply granular multi-factor authentication (MFA) to ensure only the right users gain access. Read more here.
  • Monitor in real-time all access events to alert on and react to suspicious access. Read more here.
  • Enforce logon controls to better protect against unauthorized access. Read more here.
  • Eliminate unmanaged concurrent logins to accurately identify a user and make them accountable for any malicious activity. Read more here.

"The reality is simple: If you suspect that your network has been compromised, the built-in tools provided by Microsoft aren’t going to be much help. Trying to find the culprit using Event Viewer is like looking for a needle in a haystack."

Windows IT Pro Magazine Windows IT Pro Magazine

Use case example

Active Directory User Login History

Get and schedule a report on all access connection for an AD user. Trace all activity on any account to an individual user – the complete history of logon of any user in the domain.

Read more Watch video

Help Net Security « The attention to detail that IS Decisions has shown when planning the account logon rules can also be seen in the built-in reporting mechanism. The software collects a wide range of usage patterns per each user account and you can generate a report based on every one of these parameters. »

Read the HelpNet Security Review

Simplify compliance audits to meet requirements

Support compliance requirements with accurate information about who connected, from where, at what time, and for how long to comply with major regulations. Learn more about Active Directory user logon event auditing needs for PCI DSS, ISO 27001, NIST 800-53, SOX and HIPAA.

Get custom reports on Windows user logon events

UserLock records all Windows user logon events into an ODBC database for reporting. Filter and sort the audit to show only the results you need. Schedule and view custom Windows user access reports directly from the console, send reports to specified recipients, or print and export in several file formats.