The Division of Engineering Computing Services (DECS) provides information technology services and support for the faculty, staff, students and guests of the College of Engineering at Michigan State University (MSU) – one of the top research universities in the world.
Part of the MSU College Engineering, they are responsible for managing and supporting all technologies in classrooms, computer labs, residence halls and offices on and off campus.
The Challenge
Define and enforce only one single session for each Active Directory user account
For the various Engineering departments, the DECS maintain and support several computing labs and instructional classrooms.
Because native Active Directory allows multiple logons from the same user, a common problem existed where students were able to logon within a lab to several workstations at once. They were doing this to reserve seats for friends who were yet to arrive at class.
When several computers could be blocked by one user, this prevented the proper sharing of school resources - and resulted in lots of complaints from students and faculty staff.
Uncontrolled simultaneous logins also posed obvious security issues. It widens the attack surface of a network as valid, but compromised credentials, can be used at the same time as their legitimate owner. It also creates a whole accountability and non-repudiation issue as user A, connected to the network with the credentials of user B, can access user B’s data and applications, send Emails in his name, etc.
Limiting concurrent logon sessions is not supported natively in Active Directory. A third party solution was therefore needed that could enforce this restriction and allow both administrators - and users themselves - to remotely logoff any existing sessions.
The Solution
A simple, stable and non-disruptive solution that works alongside Active Directory
Tasked with having to solve this problem, Matt Hale, IT Administrator at MSU came across UserLock following some internet research.
Installation of the software proved easy and very straightforward. The online documentation was clear and helped support their own choice to install the UserLock micro agent using Group Policies.
Once deployed, UserLock allowed them to easily prevent concurrent logins from a single user.
By stopping students from using several workstations, UserLock helps free up resources for all students. The choice is also there to remotely logoff any existing sessions from a new login attempt.
By tracking all user connection events in real-time, the IT team can also monitor and report on all users’ logon and logoff activity to study how lab resources are being used - the high and low activity peaks, the occupancy rates etc.
We’ve been using UserLock since 2013. It is a great product. It is easy to install and very straightforward, the online documentation is great. We can rely on the software and don’t need to check it every day. It does the job we need it to do.
Matt Hale
IT administrator at MSU
The Benefits
Optimized resources & reduced risks of security issues
Following UserLock’s deployment, the IT team has seen a reduced number of complaints regarding the lack of free space which means resources have been better optimized for students.
Full visibility and insights into all logon events has also allowed the team to better manage resources.
What’s more, UserLock proved no hassle. It integrated easily with the existing Active Directory infrastructure. No modifications are made to AD or its schema. Hosted on any server member of the domain, UserLock is managed remotely on workstations or through a web console anywhere on the network.
If you need an affordable, stable method to create functionality that Active Directory should already have built in, I would definitely recommend UserLock.
Matt Hale
IT administrator at MSU