Automatic discovery of users associated with screen names for rogue protocols. A local server associates screen names with users, updating those associations in response to the protocol. The local server intercepts protocol messages, determines if they relate to unknown users, and obtains information associating screen names with users. Policy rules are applied to all screen names for the same user in an aggregated manner. The local server sends a request to an authorization server coupled to the local network, including the IP address for that screen name. The authorization server interrogates a registry file on the user workstation to obtain a GUID for that user, and from that GUID obtains a unique logon name for that user from the domain controller for a local network.