UserLock Documentation
UserLock Documentation
You are here: Getting started > Audit logon events

Audit logon events

UserLock detects and audits all workstation connections once the 'Desktop' agent has been deployed on machines. In the same way, terminal connections are automatically detected as the 'Desktop' agent is deployed on terminal servers (nothing is required to be installed on thin clients).

There is no need to create a new protected account to audit a user connection. It only requires the UserLock agent to be installed to start auditing connections. All user session events from protected machines are therefore audited and saved in the UserLock database.
Two consoles are available:

  • The Windows console,
  • The Web console.

Both display an instant view in real time of the sessions activity on the network monitored by UserLock.

Audited data

On a connection event of a domain user to the network, the UserLock agent transmits to the server a set of data. This set includes information on:

  • The connection type requested: Workstation, terminal, Wi-Fi,VPN, IIS.
  • The connection event type: Logon, reconnection, disconnection, logoff, lock, unlock.
  • The user: Domain, username.
  • The source: Machine or device name, IP address.

This information is retrieved by the agent itself when the connection event is submitted by the user, and sent encrypted to the UserLock server, which determines the time of the connection request and saves all in its database. Thus all user connection information performed on agent hosts are collected and stored centrally.


All user connection information transmitted by the agent are audited and saved centrally in a database. Information stored can be used to generate predefined reports directly from the console.

  • Session history: The detailed list of every connection (logon, lock, unlock, disconnection, logoff, users, machines, domains, etc.) available for all session types.
  • User status history: The list of status changes for every user and the reasons.
  • Session statistics: The total number of sessions, the total time and average time per session for a user on a defined period.
  • Session count evolution: Changes in the number of all the interactive sessions open on the network.
  • Two additional reports for Wi-Fi/VPN sessions: History and statistics with additional relevant filters.
  • The ability to view raw data in table format from the database.
  • A tool view allowing you to submit an SQL query from the console itself.

These reports and tools can be executed on-demand as on a scheduled way to obtain a result in the main existing types of export (PDF, XLS, HTML, CSV, etc…) and the ability of sending it by E-mail. The database is in free access allowing administrators to use a third-party tool to perform additional analysis directly from database records.

A specific use case is available here to discover reports and give you a step-by-step guide on how to obtain - on demand - a PDF report of the previous week's connection hours for a specific user and how to schedule the same report to receive it by E-mail.