Hello, It's pretty much real time. There are some time gaps, but it should not be noticeable by a user. A user logging into the domain adds an event to the DC. As long as User-ID is reading those security logs, the first time the user goes through the firewall it will check with User-ID. That will have already read the log and have the user's IP mapping cached, so the very first request will already have the user name to IP mapping. If two or more users are logged into the same computer (like a terminal server), the most recent user will overwrite the mapping for the previous user. For that reason, you should run the Terminal Server Agent on all systems that have multiple users logging in to them. The Terminal Server Agent will dole out source port ranges to each user that logs in, and that mapping will let the firewall know who is generating that request. Bringing a computer off standby *should* generate a domain controller security event as well. If there is no event, User-ID (at least the 4.1 version, I'm not sure about the 3.1 version) has a couple options: a WMI probe, or a NetBIOS query. If you have those enabled in User-ID, it will try WMI first and NetBIOS as a last-ditch effort. If those are not enabled or fail, the user will be unknown. You can also enable a Captive Portal for devices that do not join the domain. Hope this helps! Greg
... View more