Audit Active Directory user login history

AD user login history auditing with ADAudit Plus

What is AD user login history auditing?

AD records logon events across DCs, member servers, and workstations, but those records are stored locally on each machine. Retrieving a complete logon history for a single user means collecting and correlating logs from every system they touched, which is neither fast nor reliable when done manually.

ADAudit Plus aggregates logon data from every monitored system and presents it as a report. You can see every system a user accessed, the time and source IP address of each logon, the number of failed attempts, and whether any session is currently active, all without logging into individual DCs or running scripts.

• Consolidated logon history across all DCs, member servers, and workstations.
• Source IP address, client hostname, and DC recorded for every logon event.
• Successful logons, failed attempts, logon duration, and logoff times in one view.
• Currently active sessions visible in real time across the domain.

Audit logon events across your domain

A complete logon audit goes beyond tracking when someone logged in. You need to know which systems they logged into, whether they were active on multiple machines simultaneously, and whether sessions terminated cleanly. ADAudit Plus provides named reports for every logon scenario across the domain.

• The User's Last Logon report shows the most recent logon time per user across all monitored systems, useful for identifying stale accounts that remain enabled.
• Users logged into multiple computers surfaces accounts with concurrent or recent sessions on more than one machine, flagging potential credential sharing or unauthorized access.
• Remote Desktop Services Activity captures every RDP session (connection, disconnection, and termination) with client IP and session duration.
• RADIUS Logon History (NPS) aggregates all NPS authentication events, covering wireless logons that would otherwise require a separate log source.
• User Work Hours shows the active hours each user spent logged on to workstations.

 

 

Use machine learning to identify unusual logon failure volumes, abnormal logon times, first-time host access, and other suspicious activity.

Extend auditing to hybrid and cloud environments

Your on-premises logon events live in Windows Security logs, while Microsoft Entra ID sign-in events live in the cloud. Correlating them for a single user means accessing two separate administrative interfaces and reconciling different event formats manually, and native tools provide no mechanism to bridge that gap.

ADAudit Plus bridges this gap. The Hybrid Logon Activity report surfaces sign-in events for hybrid users from both on-premises AD and Microsoft Entra ID in a single view. You see the full authentication picture for any user, including which application they authenticated to, whether MFA was enforced, what Conditional Access policy applied, and the geo-location of each cloud sign-in.

• Entra ID Logon Activity includes geo-location, device information, MFA result, and Conditional Access outcome alongside the standard who-when-where detail.
• Logon Activity by Legacy Authentication identifies sign-ins using older protocols that bypass MFA enforcement, a persistent security gap in hybrid environments.
• Risk detection reports (impossible travel, anonymized IP, password spray attack, leaked credentials) surface Entra ID Identity Protection signals in the same console as on-premises logon data.

 

 

Gain complete visibility into logon activity across your AD and Entra ID environments.

Detect anomalous logon behavior with user behavior analytics (UBA)

Not every threat announces itself with a lockout or a failed logon flood. An attacker using valid stolen credentials may log in once, at a slightly unusual time, from a machine the user has accessed before: nothing that crosses a static threshold. ADAudit Plus builds a machine learning baseline of each user's normal logon behavior and alerts when that baseline is broken.

• Unusual Logon Activity Time flags a logon that falls outside the hours that user normally authenticates, calibrated per individual, not a domain-wide schedule.
• Unusual Volume of Logon Failure identifies a spike in failed attempts for a specific user, distinguishing a genuine brute-force attempt from routine mistyped passwords.
• First Time Host Accessed by User surfaces the first-ever logon by a user to a host they have never accessed before, a lateral movement indicator when seen alongside other anomaly signals.
• Unusual Volume of Lockout detects when lockout frequency across the domain exceeds its learned baseline, covering coordinated lockout activity that might otherwise look like isolated incidents.

 

 

Use machine learning to uncover suspicious logon behavior, including unusual logon failure volumes, abnormal logon times, first-time host access, and more.

Get real-time alerts on critical logon events

Logon history is useful for investigation. Alerting is what stops an incident from becoming a breach. ADAudit Plus ships with pre-configured alert profiles for critical logon events, and every alert is built around what you can actually do with it.

• When an account lockout occurs, your team receives an immediate notification so the lockout is investigated.
• A disabled account logon attempt triggers an alert the moment it happens, catching credential replay attacks or unauthorized re-enabling of accounts before access is gained.
• Replay attack detection surfaces Kerberos ticket replay events in real time, giving you the affected account name, DC, and event timestamp needed to contain the threat.

When an alert fires, ADAudit Plus can automatically create a ticket in ServiceNow, Jira, or your preferred ITSM platform, so the responsible team is notified without manual intervention.

Meet compliance requirements with ease

Logon audit trails are a requirement across every major compliance framework. Auditors want to know who accessed what system, when, and whether access was authorized. ADAudit Plus maps its logon reports directly to SOX, HIPAA, PCI-DSS, FISMA, GLBA, GDPR, and ISO 27001 requirements, so the evidence is ready when the audit begins.

Custom report profiles let you save a specific combination of user, audit action, and filter as a recurring view, so the same compliance report that previously took hours to assemble manually can be scheduled for automatic delivery to auditors or compliance officers on a weekly or monthly basis. Every logon report is exportable in CSV, PDF, HTML, or XLSX format and can be scheduled for email delivery without requiring the recipient to have product access.

Why native tools fall short for logon history

Windows records logon events through Security event logs, but those logs are stored locally on each DC, member server, and workstation. Retrieving the complete logon history for a single user means collecting and correlating logs from every system they accessed, a process that does not scale beyond a handful of machines and produces no consolidated output.

Native tools can tell you that Event ID 4624 recorded a successful logon on a specific DC. They cannot tell you whether that user is currently logged into three other machines, what caused their account to lock out, or whether their logon time yesterday was outside their normal pattern.

• Security event logs are per-machine and stored locally, so there is no built-in mechanism to query logon history for a single user across all DCs simultaneously.
• Event Viewer has no baseline awareness, so it cannot distinguish a logon at an unusual hour from the same user's routine logon time.
• PowerShell scripts can aggregate logs across DCs, but require scheduled execution, produce no real-time alerting, and leave compliance reporting as a manual task.

ADAudit Plus bridges these gaps by centrally collecting logon data from every machine, retaining it beyond the native log window, and making it searchable and reportable from a single console. It also includes built-in lockout root cause analysis, hybrid logon correlation, and UBA-driven anomaly detection.