Upcoming Webinar 19th June 2026: Varonis Alternatives: What Mid-Market IT Teams Need to Know Before Making a Decision Register Now

How to Monitor User Activity in Windows Computers

User activity monitoring is the process of tracking and recording user actions, such as logons, logoffs, and privilege usage, within Windows systems to detect suspicious behavior and maintain security compliance. Understanding what your users are doing in your critical systems is a crucial part of identifying potential suspicious behavior leading to security breaches. Tracking user activity provides the necessary information to spot malicious activity and stop an organization from falling prey to a potential cyberattack.

Native Active Directory auditing tools can be used to monitor user activity, but it is a time-consuming and often complex task. Lepide Auditor overcomes the limitations of native auditing by giving you the visibility you need to detect and react to insider threats quickly and efficiently.

In this article, we will look at two methods for tracking user activity: the native auditing method (Event Log) and an automated solution using Lepide Auditor.

Track User Activity in Windows Computers using Event Logs

Prerequisites

Before configuring user activity monitoring, ensure the following requirements are met:

  • Supported Windows Server Versions: Windows Server 2012 R2, 2016, 2019, or 2022
  • Administrative Permissions: Domain Admin or equivalent privileges to modify Group Policy Objects
  • Dependencies: Group Policy Management Console (GPMC) installed; Event Viewer access on target systems

Please follow below steps:

  1. Enable Audit Policy in Group Policy Management Console
    • Select Server Manager on Windows server.
    • Under the Manage tab, open the Group Policy Management console.
    • Go to Forest, Domain, Your Domain, Domain Controllers.
    • You can either edit an existing group policy object or create a new one.
    • In the Group Policy Editor, navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Audit Policy.
      Enable Audit Policy
    • In Audit Policy, select Audit logon events and enable Success and Failure auditing.
    2. PowerShell Alternative 
    auditpol /set /subcategory:"Logon" /success:enable /failure:enable
  2. Enable Logon/Logoff Auditing in Advanced Audit Policy
    • Go back to Computer Configuration. Navigate to Windows Settings, Security Settings, Advanced Audit Policy Configuration, Audit Policy, Logon/Logoff
      Enable Logon Logoff Auditing
    • Next, enable Success and Failure auditing for Audit Logon, Audit Logoff, and Audit Special Logon.
    • Open the Group Policy Management console and select the GPO that you have edited or created.
      Under Security Filtering, add the users whose logons need to be tracked. You can also choose to audit every domain user’s logon by selecting All users. To audit, a group of domain users, the specific group(s) can be added.
    3. PowerShell Alternative 
    auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
  3. Navigate Event Viewer to Check Security Logs
    • Open Event Viewer and navigate to Windows logs, Security.
    • Look for the event IDs:
      Event ID Description
      4624 Account was logged on,
      4634 Account was logged off
      4647 User initiated logoff
      4672 Special logon
      4800 Workstation was locked
      4801 Workstation was unlocked

      Native Event Logs

  4. Filter Logs by Event ID or Time Range
    • Click Filter Current Log on the right side to filter the logs based on event IDs or the time range for which the information is required.
      Filter Event Logs
    • System admins have to go through the list of logon times and identify suspicious patterns if any. This is a tedious and error-prone process as there is a high chance that some logs may be overlooked.
    5. PowerShell Alternative to Query Events: 
    Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624]]" | Select-Object -First 50

Common Native Auditing Issues and Troubleshooting

Issue Cause Solution
Missing Events Audit policy not applied or GPO not linked correctly Run gpresult /h report.html to verify applied policies; ensure GPO is linked to correct OU
Log Overflow Security log size limit reached; older events overwritten Increase log size via Event Viewer properties or configure log archiving
GPO Replication Delays Changes not yet replicated across domain controllers Run gpupdate /force on target machines or wait for replication cycle
Events Not Appearing on Workstations Audit policy configured only for Domain Controllers Apply audit policy to workstation OUs or use Advanced Audit Policy targeting

Monitor User Activity in Windows Computers Using the Lepide Auditor

Lepide Auditor for Active Directory overcomes the complexity of the native method by providing a straightforward way to identify suspicious insider activity using Active Directory by using Logon/Logoff Reporting and the Permissions Modification Report.

Lepide Auditor for Active Directory includes several Logon/Logoff reports to track logon activity. Two of these reports are Failed User Logon and Successful User Logon/Logoff Reports.

Event Logs for Failed Logons

How to run the Failed Logon Report:

  • Click the User & Entity Behavior Analytics icon and select Active Directory Reports, Logon/Logoff Reports, Failed Logon
  • Select a Date Range and click Generate Report
  • The report is generated and can be sorted, filtered, grouped, saved, and exported.

Successful Logon Logoff

How to run the Successful User Logon/Logoff Report:

  • Click the User & Entity Behavior Analytics icon and select Active Directory Reports, Logon/Logoff Reports, Successful User Logon/Logoff
  • Select a Date Range and click Generate Report
  • The report is generated and can be sorted, filtered, grouped, saved, and exported.

Native Event Logs vs. Lepide Auditor: Comparison

Feature Native Event Logs Lepide Auditor
Setup Complexity Moderate – requires GPO configuration and Event Viewer knowledge Low – guided setup wizard with pre-configured policies
Time Investment High – manual log review and correlation required Low – automated report generation and alerting
Scalability Limited – difficult to manage across large, distributed environments High – centralized console for enterprise-wide monitoring
Reporting Capabilities Basic – manual filtering and export to CSV Advanced – pre-built reports, scheduling, and multiple export formats

Frequently Asked Questions

What are the limitations of native Windows auditing?

Native auditing requires manual log review, lacks centralized reporting across multiple systems, and can generate overwhelming volumes of data that make identifying threats difficult without additional tools.

How long are Windows event logs retained by default?

By default, the Security log is set to overwrite events as needed when it reaches its maximum size (typically 20 MB). Organizations should configure log retention policies or forward logs to a SIEM for long-term storage.

What is the best approach for large environments?

For enterprises with hundreds or thousands of endpoints, automated solutions like Lepide Auditor provide centralized visibility, pre-built reports, and real-time alerting that scale effectively across distributed environments.

Related Articles
In This Article
Monitor User Activity in Windows Computers using Lepide Auditor
Fill in the rest of the form to
Get access to Lepide now
x
Related Solutions