---
locale: "en"
updated_at: "2025-10-24T16:10:12.013Z"
canonical: "https://www.isdecisions.com/en/userlock/docs/reference/access-policies/initial-access-points"
---

# Initial access points

Restrict access based on initial logon location.

## Typical use cases

- Prevent a user from opening sessions from multiple machines at the same time.
- Force all access for a user to go through a single workstation.
- Reduce the attack surface by limiting the number of possible entry points.

![](https://a.storyblok.com/f/122374/844x208/96ccb23fbe/iap-nb-limited-to.png)

## Key points to know

- An **initial access point** is the first session opened on the network.
  - Example: opening a session on a workstation = initial access point.
  - If from that workstation the user opens a terminal session, it is a **child session**, and does not count as a new access point.
  - If the same user opens a session from another machine, this creates a **new initial access point**.
- Available options:
  - *Not configured* → no limit, unless inherited from another policy.
  - *Unlimited* → no restriction.
  - *Limited to* → maximum number of allowed initial access points.
- Limiting to **1 initial access point** ensures the user can only enter the network from one machine.

> **Note**
>
> This policy can be combined with [Session limits](/userlock/docs/reference/access-policies/session-limit) for finer control.
> For example: limit to **1 initial access point** + **3 interactive sessions** → the user can open 3 sessions, but only from the same machine.

## Configured policies

A list of all initial access point restriction policies is available in the **Access Policies** section, under the **Initial access points** page.

![](https://a.storyblok.com/f/122374/1796x670/46b1c3dea5/initial-access-point-table.PNG)

## Best practice: Combine initial access point limits with remote logoff

Balancing security and productivity often means restricting network entry points **without locking users out**. UserLock lets you limit how many initial access points a user can open, while still allowing flexibility.

To maintain control and reduce help desk requests, combine initial access point limits with the option for users **to close one of their active sessions** themselves, without contacting an administrator, before opening a new one.

#### Configuration steps

1. Create an *Initial access points* policy for the desired target (user, group, OU).
2. Define the maximum number of allowed entry points.
3. Create a [Session limits policy](/userlock/docs/reference/access-policies/session-limit) on the same target.
4. Enable **Close previous session**.

This approach keeps network access secure while ensuring users remain autonomous.
