Audit and report On Active Directory User Login Events

UserLock records and reports on all user connection events to provide a central audit across the whole network — far beyond what Microsoft includes in Windows Server and Active Directory auditing.

Start a free trial Book a Demo
Audit and report

Active Directory User Login History A comprehensive audit for accurate insights

UserLock records and reports on every user connection event and logon attempt to a Windows domain network.


Try UserLock — Free trial now

30-day full version with no user limits

UserLock Report

Connection event type



Logon, Logoff, Lock/Disconnection, Unlock/Reconnection, Logon Denied.

Session Type



Workstation, Terminal, Total Interactive, Wi-Fi, VPN, IIS.

The user



Domain Name, User Name.

The source



Workstation Name, Machine or Device Name, IP Address, Port Name, Server Name.

The time



Logon time, Logoff time, Lock time, Unlock time, Time Logon Denied, Total Session Time.

Read more on how UserLock collects audited data

User login activity Audit all session history

  • Logon/Logoff activity on Interactive Sessions All workstation and terminal session activity.
  • Logon/Logoff activity on Wi-Fi Sessions All wireless network activity.
  • Logon/Logoff activity on VPN Sessions All remote access VPN connection activity.
  • Logon/Logoff activity on IIS Sessions All session activity on Microsoft IIS Servers (E.g. Web apps such as Outlook Web Access).
  • Logon/Logoff activity by User, Group or OU All activity (Logon time, Logoff time, Logon Duration, Session Type…) for one or many users.
  • Last Logon Logoff Report Review date and times across all session types.
  • Machine Activity Report All activity (Logon time, Logoff time, Logon Duration, Number of sessions, Last session…) from a shared machine.

08:27 AM

Logon Workstation Session Claire CARTER WKS061  -

08:31 AM

Logon IIS Session Jimmy CROSS WKS067  -

08:35 AM

Logon WI-FI Session Liang KO WKS041  -

09:00 AM

Total session count is now 917

09:28 AM

Terminal Session Logon Claire CARTER VES1/WKS061  -

09:52 AM

Logon VPN Session Robyn WELDO WKS093  -

09:52 AM

Last Logon Report - Finance Group 15 users from The Finance Group are now logged on

10:03 AM

Lock Workstation Session Ubwa FREY WKS070  -

10:21 AM

Logoff IIS Session Total duration time of 1hr 50mins
Jimmy CROSS WKS067  -


Audit all denied and suspicious access

  • Concurrent Session Report All domain users with simultaneous sessions opened.
  • Logon Denied by Windows All access rejected by Windows – includes multiple logon failure attempts.
  • Logon Denied by UserLock Contextual restrictions to help verify authenticated users identity. Access rejected due to an unauthorized: Machine or IP address Session type Timeframe or Quota Number of concurrent sessions Number of initial access points

05:03 PM

Permitted to a single point of entry Workstation Logon denied by UserLock restriction Liang KO WKS055  -

05:08 PM

Multiple logon failure attempts Workstation Logon denied by Windows Namie MAEKAWA WKS012  -

05:41 PM

Unauthorized Session Type Wi-Fi Session Logon denied by UserLock restriction Thomas LEACH WKS001  -

05:59 PM

Deny Concurrent Sessions Workstation Logon denied by UserLock restriction Ajeya SINGH WKS056  -

06:12 PM

Unauthorized machine VPN Logon denied by UserLock restriction Carrie RHODES WKS047  -

07:55 PM

Unauthorized working hours Workstation Logon denied by UserLock restriction Todd DAVIS WKS099  -

"UserLock provides detailed reports at a level that can be used to track down security threats, support forensic and legal investigations and prove regulatory compliance."

OVUM Analyst Review OVUM Analyst Review

Use case example

Active Directory User Login History

Get and schedule a report on all access connection for an AD user. Trace all activity on any account to an individual user – the complete history of logon of any user in the domain.

Read more Watch video

Help Net Security « The attention to detail that IS Decisions has shown when planning the account logon rules can also be seen in the built-in reporting mechanism. The software collects a wide range of usage patterns per each user account and you can generate a report based on every one of these parameters. »

Read the HelpNet Security Review

Auditingfor regulatory compliance

Accurate information about who was connected, from which system(s), at what time and for how long they were active is necessary for compliance with major regulations. Learn more about logon auditing needs for PCI DSS, ISO 27001, NIST 800-53, SOX and HIPAA.

Custom reportsMakes analysis easy

UserLock records all access events into an ODBC database for reporting. Filter and sort the audit to show only the most pertinent results for your organization. Choose to schedule and view reports directly from the console, send reports to specified mailboxes or print and export in several file formats.

"UserLock has helped simplify IT’s work by reducing between 70 to 90% the time spent monitoring and auditing network access for all users."

Antônio Fernandes S. Oliveira Network Manager - Pernambuco State Traffic Department Read the full Case Study

User logon auditing Far beyond native Windows Active Directory

Native audit logs are difficult to understand and too cumbersome to manually audit. They show hundreds of logon and logoff events for the same user throughout the day.

Only critical information

UserLock is optimized to keep only relevant access events.

Accurate reporting

No real logon/logoff reporting in native server logs. Read more here

Powerful filtering and search

UserLock excludes irrelevant data and focuses only on insightful information.

Centralized auditing

UserLock makes it easy for network-wide auditing.


UserLock works the same whether you have 100 or 100,000 users.


With UserLock, all administrators activity is stringently audited and securely archived. Read more here

Now Available in UserLock 11.2

Get the New, Intuitive UserLock Web App

Monitor and respond to network sessions quickly, easily, and from anywhere with the all new UserLock Web App.


New UserLock Web App

Auditing alone isn’t enough for organizations serious about protecting access to their network. As a micro client server application, UserLock can also go far beyond auditing:

  • Monitor in real-time all access events to alert on and react to suspicious access. Read more here.
  • Enforce logon controls to better protect against unauthorized access. Read more here.
  • Eliminate unmanaged concurrent logins to accurately identify a user and make them accountable for any malicious activity. Read more here.

"The reality is simple: If you suspect that your network has been compromised, the built-in tools provided by Microsoft aren’t going to be much help. Trying to find the culprit using Event Viewer is like looking for a needle in a haystack."

Windows IT Pro Magazine Windows IT Pro Magazine


Request a personalized demo now

Discover how UserLock can help you meet your needs.

Secure Active Directory Credentials with Multi-Factor Authentication (MFA)

Read More

Download UserLock

The trial version offers:

  • 30-day full version
  • no user limits
  • free technical support

Supported systems

Release Date : 3/28/2023
Version : UserLock 11.2.3
What's new in this version ?

Please read the Beta Testing Procedure before installing this version.

The beta version includes:

  • 30-day full version
  • no user limits
  • free technical support

Release Date : 5/26/2023
Version : UserLock 12 beta 2
What's new in this version ?

Supported systems