UserLock enforces a single session per user to optimize shared computer lab resources
- Michigan State University
- Education
- United States
)
The Division of Engineering Computing Services (DECS) provides information technology services and support for the faculty, staff, students and guests of the College of Engineering at Michigan State University (MSU), one of the top research universities in the world. Part of the MSU College Engineering, they are responsible for managing and supporting all technologies in classrooms, computer labs, residence halls and offices on and off campus.
"We rely on the software to create functionality that Active Directory should already have built-in."
Matt Hale - IT Administrator
For the various Engineering departments, the DECS maintain and support several computing labs and instructional classrooms.
Because native Active Directory allows multiple logons from the same user, the DECS team had a frequent problem: students could logon within a lab to several workstations at once. They were doing this to reserve seats for friends who were yet to arrive at class.
And that wasn't the only problem. One user could block several computers, preventing the proper sharing of school resources. It had become a source of frequent complaints from students and faculty staff.
Uncontrolled simultaneous logins also posed obvious security issues. It widens the attack surface of a network as valid, but compromised credentials, can be used at the same time as their legitimate owner. It also creates a whole accountability and non-repudiation issue as user A, connected to the network with the credentials of user B, can access user B’s data and applications, send Emails in his name, etc.
Limiting concurrent logon sessions is not supported natively in Active Directory. The DECS team decided to look into a third-party solution to enforce this restriction. It also had to allow administrators, and users themselves, to remotely logoff any existing sessions.
Tasked with solving this problem, Matt Hale, IT Administrator at MSU, came across UserLock following some internet research.
He quickly set up the software to test it and said the installation was easy. The online documentation was clear and helped support the team's choice to install the UserLock micro agent using Group Policies.
Once deployed, Matt quickly saw how UserLock allowed them to easily prevent concurrent logins from a single user.
By stopping students from using several workstations, UserLock helps free up resources for all students. The choice is also there to remotely logoff any existing sessions from a new login attempt.
Plus, by tracking all user connection events in real-time, the IT team can also monitor and report on all users’ logon and logoff activity to study how lab resources are being used: the high and low activity peaks, the occupancy rates, etc.
"We’ve been using UserLock since 2013. It is a great product. It is easy to install and very straightforward, the online documentation is great. We can rely on the software and don’t need to check it every day. It does the job we need it to do."
Matt Hale - IT Administrator
After implementing UserLock, the IT team saw a sharp dropoff in complaints about the lack of free space. They see that as a clear indicator that resources are now better optimized for students.
With full visibility and insights into all logon events, the team can also better manage IT resources and workloads.
What’s more, UserLock involves zero hassle. It integrated easily with the existing Active Directory infrastructure. No modifications were made to AD or its schema. Since UserLock is hosted on any server member of the domain, the IT team can manage it remotely on workstations or through a web console anywhere on the network.
"If you need an affordable, stable method to create functionality that Active Directory should already have built in, I would definitely recommend UserLock."
Matt Hale - IT Administrator