With the release of UserLock 7 comes PowerShell commands for Active Directory Security. Yes, it is now possible to manage/administer UserLock with PowerShell cmdlets!
UserLock is an enterprise software solution that controls and restricts user access offering Identity and Access Management to Windows and Active Directory networks.
Gaining in popularity and importance, Windows PowerShell is an extendable command shell and scripting language which can be used to manage/administer server environments like Windows Server, Exchange and also SharePoint 2010.
The advantages to managing UserLock with PowerShell
Scripts can be written and scheduled at regular intervals enabling the automation of UserLock administration tasks. The UserLock cmdlets can also be used without a script to administer the UserLock server.
The advantages of using extendable cmdlets include:
- makes repetitive tasks easier and less tedious
- makes complex tasks less complex by wrapping several commands together
- facilitates the automation of system admin tasks – reducing the risk of human error
- all cmdlets respect the PowerShell Standard (settings, help…)
- remote system management
- manage UserLock without the console
- manage UserLock without a web browser
Want to learn more about Windows PowerShell command line and scripting environment? On this page you will find training videos, guides, Wiki articles, and more…
Prerequisites for managing UserLock with PowerShell
PowerShell is installed by default for Windows 7 and Windows Server 2008, and is compatible with all versions of Windows that support version 2.0 NET (Vista, XP, Server 2003 …)
To use PowerShell scripts, you must edit the policy by running the following command as an administrator:
Set-ExecutionPolicy RemoteSigned
The default option is “Restricted” which prohibits the execution of any PowerShell script.
Note: There is no need to install anything else aside from the UserLock Console.
Using PowerShell to manage UserLock
Simply click on the icon PowerShell from the Toolbar located on the UserLock console.
This launches a PowerShell console with the UserLock module that is loaded.
Once launched, UserLock PowerShell attempts to connect to the UserLock server selected in the console (if no server is selected, a connection will be attempted on the local computer).
From this point, the first scripts can be written or the first UserLock cmdlets run.
The “Get-UserLockCommand” command lists all the commands provided by the UserLock module.
Each cmdlet has a comprehensive help that can be accessed by running the following command:
Get-Help <UserLock cmdlet> -Full
Script Examples
The following script (which could be named ‘Stop-UserLockWorkstationWithNoSession.ps1’) shuts down workstations that have no opened session during non business hours; useful in respect to ‘green’ IT policy.
Get-UserLockReportedComputer -OnlyWorkstation | where {($_.SessionCount -eq 0) -and ($_.Available)} | Stop-UserLockComputer -Force
The next one (‘Install-UserLockAgentOnRemainingWorkstation.ps1’) installs the Desktop UserLock agent on workstations with no agent through the UserLock server. Useful if you have to reboot workstations to enable the UserLock agent (on OS XP, 2003 and older).
Get-UserLockAgentDistribution | where {($_.IsServer -eq 'Workstation') -and ($_.AgentType -eq 'Desktop')-and($_.AgentStatus -eq 'NotInstalled') -and ($_.LastCheckStatus -eq 0)} | Install-UserLockAgent -Force
This script can reboot overnight all workstations with a pending agent installation.
Get-UserLockAgentDistribution|where {($_.AgentStatus -eq 'installing') -and ($_.IsServer -eq 'workstation')}|Restart-UserLockComputer -Force
This script can send a pop-up warning to all open sessions.
Get-UserLockInteractiveSession | Send-UserLockPopup -Title 'IT Maintenance' -Message ' The File server is currently restarting. It will be available in 5 minutes. IT Department.' –Force
This script enforces a UserLock setting (e.g. a welcome message) to all your protected users.
Set-UserLockProtectedAccount -Name * -Type user -Property DisplayWelcomeMessage -Value true –Force
You can also create protected accounts with specific criteria and rules that forbid them to use another workstation except the one you have attributed.
Advanced Examples
To administer a remote UserLock server, change the variable $UserLockServerName by running:
$UserLockServerName = <remote UserLock server>
You may also use UserLock cmdlets without launching PowerShell from the UserLock console.
To do this, start a PowerShell console, manually load the module UserLock PowerShell then use UserLock cmdlets by running the following commands:
Import-Module UserLockPowerShell
Get-UserLockProtectedAccount
With the launch of UserLock 7, administrators that are proficient in and enjoy working with PowerShell now have the option to use this shell and scripting language when managing UserLock.
Currently in beta, join our UserLock 7 Beta-Testing Program and see for yourself. To participate is very simple. Click on this link and you will find everything you need.