UserLock in pictures

1. 1. Install UserLock on a server

   First, you need to install UserLock either on a server member of the domain to be protected or on a domain controller.
   

2. 2. Install the Web console

   If IIS is installed on the server the setup will prompt you at the end of the installation to install the Web administration console. Select the IIS Web site and click Install in the “UserLock Web interface” section. The URL will be: http://SERVERNAME/UlAdmin
   When done click Finish.
   

3. 3. Configuration Wizard - Welcome page

   Then the UserLock Configuration Wizard is started in order to configure basic service settings. Click Next.
   

4. 4. Configuration Wizard – Server Mode Selection

   Select primary server as UserLock server type and click Next.
   

5. 5. Configuration Wizard – define protected network zone

   Define the network zone you intend to protect. You can choose the whole Active Directory, a domain or an organizational unit. Then click Next.
   

6. 6. Configuration Wizard – set login/password for the UserLock service

   The UserLock service has its own deployer in order to remotely install the agent on all workstations in the protected zone. The service therefore needs to be started with an account with administrative rights on all computers to be protected. Select “The following account” and enter the account you want to use as a service account. Then click Next in order to automatically configure and start the UserLock service.
   

7. 7. MMC console

   When clicking Finish in the Configuration Wizard, the MMC administration console is automatically displayed but for all next steps we will switch to the Web console. Most settings can be configured in the same way from both consoles .
   

8. 8. Web console – Agent Distribution

   In the Web console, first go to Agent Distribution and select a few workstations on which to install the agent by clicking on the Deploy button.
   

9. 9. Install the agent on a few workstations

   The agent has been successfully installed, click on Back and select these workstations again (the agent status is Installing/waiting for reboot), then click on Reboot. When these workstations have been rebooted, you can refresh the Agent distribution view with the Refresh button and the agent status should now be Installed for these workstations.
   

10. 10. Open a session on a workstation

    You can now try and open a session on one of those workstations. Once the session is open, go into the User sessions tab from the Web console and check that the new session is displayed.
    

11. 11. Create a protected account for Everyone

    No restrictions are defined by default in UserLock, so you need to create protected accounts. Go into the Protected Accounts tab, click on Add and then create (for example) a protected account for Everyone.
    

12. 12. Grant a single session only

    The protected account for Everyone has been created and you can click on the active link to display properties. You can then set the number of Total Allowed Sessions to 1 and click OK.
    

13. 13. Second session is denied

    You can now try and open a second session with the same account on a second workstation with the agent installed. You get a message denying access to the network.
    

14. 14. Allow users to logoff their previous session and enable the welcome message

    Display properties of the Everyone protected account again, select: “Allow to logoff an existing session if the number of allowed sessions has already been reached.” and select “Display the welcome message”. Click OK.
    

15. 15. Previous session logoff dialog box displayed to the user

    Try to logon again with the same account and on the same workstation. Now a dialog box allowing you to logoff the first session is displayed. Select the session to logoff and click on Close. After a while (a little time is needed until the previous session is really closed), click on Logon in order to try and open the session again.
    

16. 16. Welcome message displayed to the user

    The session is now allowed and the welcome message is displayed. You see that the information regarding previous session is displayed and failed logon attempts are also mentioned.
    

17. 17. Logoff an existing session from the administration console

    Display the User sessions tab in the administration console. You see that the new session on the new workstation is now displayed for this user. Select the session and click on Logoff.
    

18. 18. Administrative Logoff Confimation

    After a few seconds a Web page mentioning that the session has been successfully logged off is displayed. Click on Back to display User Sessions view again.
    

19. 19. Display session history for a specific user

    You see that the session is gone. If this is not the case, try and refresh the view until the session is really closed. You can then display session history for this user by clicking on the active link.
    

20. 20. Session history for a user

    By doing so, the Web browser will display a report (PDF file) including comprehensive session history for the user for the past 30 days. You see all logon/logoff events, all lock/unlock events, and all failed logons during this period.
    

21. 21. Start automatic deployer

    Now that you now how basic features work, you can deploy the agent on all your workstations starting the automatic deployer. Workstations are not rebooted by default, agent will therefore only be effective after next reboot.
    

22. 22. Configure Workstation Restrictions

    We move now to some more advanced features. If you want some users or groups of users to only be allowed to logon from a specific set of workstations, you can specify this in the Workstations Tab of protected account properties. You can specify allowed computers by name or by IP ranges or specify denied machines in the same way.
    

23. 23. Configure hours restrictions

    In the hours tab you can defined time frames allowed for users on a weekly basis. Outside these time frames logons will be denied and sessions still open will be closed after a notification. If needed, you can change the notification timeout.
    

24. 24. Logoff Notification

    You see here the logoff notification displayed to the user when the session needs to be closed according to time restrictions.
    

25. 25. Customize Messages

    All messages displayed to your users or notifications sent to administrators can be customized in the Message Tab. Messages are formatted with templates using variables. You will find all allowed variables in UerLock help file.
    

26. 26. Define protected groups conflict-solving policy

    When an account belongs to several protected groups with different settings, UserLock needs to know which superceding settings to apply. You can change policy in Server Properties.
    By default the more restrictive policy is set. So if one protected group denies the logon, the logon will be denied to the user. In order to be allowed the logon needs to be allowed by all concerned protected groups. If you select the less restrictive policy the logon will be denied only if all concerned protected accounts deny the logon. This might be the best policy to use if you define very restrictive rules for everyone and define less restrictive rules for specific groups of users. Rules from a protected user account will always override all other protected group rules independently of the policy.
    

27. 27. Define permissions for UserLock console

    If you are in charge of a large network, you may want to delegate some UserLock tasks to your helpdesk team without allowing them to access to all settings. To do this, open the MMC console on the server, display Server Properties and go to the Security Tab. By default, only sysadmins are allowed to administrate UserLock. Add the your helpdesk team security group and allow them to only manage user sessions so they will be able to logoff or reset sessions if users are unable to logon because they did not properly logoff their last session.
    

28. 28. Install a backup server

    If UserLock primary server becomes unavailable for any reason , user will always be able to logon but their sessions will not be protected any longer . If you want to keep your sessions protected in such a situation, you can install a UserLock backup server on a second server of the protected zone. After the installation in the configuration wizard you just need to select backup server as server type and specify the name of the primary server. Other configuration steps are the same.
    

29. 29. Backup server properties

    Once the UserLock backup service has been started you can display the synchronization tab in the server properties. The time of the last successful synchronization is specified, if needed you can change the synchronization interval or enforce an immediate synchronization.
    The synchronization is differential so only new logons are synchronized each time so don’t expect to see all user sessions on your backup server immediately after the installation.