The text explores the benefits and applications of User Access Logging (UAL) in forensic investigations on Windows Server systems, highlighting its capability to record user access to services along with associated IP addresses and usernames. UAL is a default feature in Windows Server editions starting from 2012, which logs client access requests, providing valuable data for forensic analysis by identifying anomalous access patterns through combinations of usernames, source IPs, and accessed services. Despite its potential, UAL is underutilized in the forensic community, with many tools not parsing its databases. The text emphasizes the importance of UAL in scenarios where other logs are unavailable, as it maintains up to three years of historical data, making it instrumental in uncovering the origins and paths of suspicious activities across network systems. The article also discusses how UAL can be leveraged at scale to detect lateral movement by threat actors and offers insights into tools available for parsing UAL data, urging further research and integration into forensic practices.