UserLock Documentation
UserLock Documentation

Version History

UserLock 8.5 Date de sortie: 12 juin 2015

Ajout

  • Un nouveau type de Compte protégé est maintenant disponible : le compte protégé temporaire. A la différence du Compte protégé classique et permanent, ce compte temporaire n’est valide que pour une période de temps définie par une date de début et une date de fin.
  • Un nouveau rapport ‘Historique des statuts utilisateur’ permet d’obtenir l’historique des changements de l’indicateur de risque "Statut utilisateur".
  • Il est maintenant possible de cloner un Compte protégé sélectionné depuis le panneau ‘Accès rapide’ ou le menu contextuel de la vue ‘Comptes protégés’.
  • La Table des statuts utilisateur ‘UserStatus’ peut être visualisé directement depuis la Console Windows.

Amélioration

  • No session is selected by default in the logoff existing session dialog box.
  • La fenêtre de création des Comptes protégés offre la possibilité de copier les règles et restrictions configurées depuis un autre Compte protégé existant.
  • La vue ‘Comptes protégés’ proposent des nouveaux filtres afin de visualiser les comptes actifs, permanents, et les différents types de comptes temporaires.
  • UserLock PowerShell now includes the Management Cmdlets of temporary Protected Accounts.

Résolu

  • Outlook Web Access may generate numerous logon/logoff events in a short time interval in some cases.
  • IIS Session revocation is not supported by the UserLock ISAPI Filter agent type.

UserLock 8.02 Date de sortie: 14 avril 2015

Résolu

  • In some cases logons denied by Windows have an invalid client address.
  • Regression introduced in version 8.01 The IP address is showing ?.?.?.? for workstation sessions.

UserLock 8.01 Date de sortie: 3 avril 2015

Résolu

  • On a UserLock server (except in Standalone Terminal Server mode), Wi-Fi / VPN and IIS logons with local accounts denied by Windows are notified to the UserLock service although UserLock doesn't manage such events.
  • The error event 100 "Opened session without SID" is inserted every time the User sessions view is displayed.
  • The UserLock Server service can run at a high CPU usage of 100 percent when some specific errors occurs.
  • On a Windows Server 2003 Domain Controller, the Desktop agent notifies all IIS logons denied by Windows for the IIS account "DomainName\IUSR_IisDcName" to the UserLock service.
  • Client restrictions are no longer applied during session reconnections if a restriction of concurrent sessions allowed is also defined.
  • When a terminal session reconnection is denied due to workstation restrictions only the first attempt is inserted in the database.
  • In some cases the Database connection type is not correctly detected by the Web console.
  • A user logon denied by Windows due to account restrictions is not displayed in the Session history report.
  • The Web console dashboard displays some errors when UserLock is configured to use a MySQL ODBC database.
  • The Windows console displays an error message when open on a server whose name starts with a number.
  • In some cases the logoff is not notified by the UserLock Agent Service to the UserLock server when a computer is powered off.
  • If no domain controller is available the NPS agent may not initialize correctly.

UserLock 8.0 Date de sortie: 4 novembre 2014

Ajout

  • A new risk indicator “User Status” to better identify suspicious and inappropriate access behavior and potential threats to network security.
  • A real-time alert on possible credential-based-attacks to notify users when their own credentials are used (successfully or not).
  • UserLock administrators monitoring and alerts through a UserLock Windows Event Log to verify the trust given to UserLock administrators.
  • A new rule to restrict in real time users to a single active session. Opening a new session has the immediate effect of locking the previous session if open.
  • All restrictions for each protected account have a "Not configured" status based on the GPO model, improving the granularity of restriction priority.
  • Wake on Lan feature to wake up any computer which has the technology requirements.
  • A full session synchronization between the Backup Server and the Primary Server is now possible on demand.
  • A new diagnostic tool is now available when hitting the "F12" key.
  • A new ID field and a Time index have been added to the UserLogonEvents table to improve database performance.
  • The console warns UserLock operators about the license and maintenance expiration.
  • A new command in the Help menu allows operators to check for UserLock updates.
  • A version checking process is now automatically performed between the UserLock console and the server to warn UserLock operators about version compatibility.
  • The User Sessions view by machine is now available on the Backup Server (without AD path/tree options). Note that the "Only sessions on unavailable computers" filter can't be used on this mode.
  • New optimized statistic commands have been created in UserLock API to provide Statistics on the Web Console dashboard.
  • Effective restrictions can be displayed for a user through UserLock PowerShell cmdlet "Get-UserLockProtectedAccountEffective".

Amélioration

  • A full redesign of the UserLock Web Interface to facilitate the administration of UserLock from any device (mobile, tablet or computer).
  • Further granularity when setting permission rights for privilege users. Access to the different features offers now two privileges: "Read" and "Write".
  • New session information are available: Session logon time, last activity time, and Client IP address for all session types; Client Name for interactive & Wi-Fi/VPN sessions.
  • Reports can now be filtered by any Active Directory group or Organizational Unit.
  • UserLock can now close an IIS session (forced logoff) from the UserLock console, PowerShell or API.
  • Sessions activity logs are now sent asynchronously to the server after an network issue.
  • The Reports Time section offers new relative time criteria to facilitate report generation & schedule.
  • Protected Account notification allows more criteria for pop-up and E-mail alerts.
  • Logons denied by Windows are now detected for Terminal, Wi-Fi/VPN and IIS sessions.
  • Logons denied by UserLock are now displaying the restriction reason.
  • UserLock Popup notifications are now displayed over Windows Metro Start screen and applications.
  • When database connectivity errors occur during a database insertion, a specific queue conserves data until the insertion process is successfully performed.
  • On Windows 2012 or more the installation process of the UserLock Web console checks any missing requirements and offers to configure and install these necessary components or features.
  • The UserLock configuration files have been split and moved into 4 separated files.
  • The default MS Access database has been moved to the following path "C:\ProgramData\ISDecisions\UserLock\Database\UserLock.mdb".
  • The UserLock service is now logged as NETWORK SERVICE to use less privileges. When some actions required more privileges, the UserLock service will impersonate with the specified account.

Résolu

  • When a user has a read only access to the server Properties, the account defined in the Impersonation section is indicated as invalid even it is actually valid.
  • A Protected zone composed of many Organizational Units or domains is not displayed correctly in the server Properties.
  • On the session history report "Since the specified number of days" can be empty.
  • Quick filters applied from column heads of the User sessions view are lost after clicking on Refresh.
  • It is not possible to connect to a remote server with the Web admin console from Windows 2003.
  • Actions on Temporary Protected accounts do not work from the Windows console.
  • Web console - Actions performed by the same UserLock operator from two different browsers are not automatically notified to both browsers.
  • Web console - On tablet device, the server icon is moving when scrolling.
  • The Service impersonation section should not be displayed in Standalone Terminal Server mode.
  • Protected account settings are not saved in Standalone Terminal Server mode.
  • Web console - The search feature from the Filter panel is only performed on data from the main column of the view.
  • Well-know accounts are protected by UserLock.
  • Settings are applied again when clicking OK even if Apply has already been clicked previously.
  • It's impossible to click Apply or OK after having deleted a Time restriction or a Workstation restriction.
  • The Logon Notification message doesn't contain the reason why the logon is denied.
  • Agents communication pipes without any activity are not disconnected.
  • When applying a Security permission right as authorized for Read and denied for Write, it's registered as denied for both Read and Write.
  • The Windows Console crashes when an agent deployment action can't be cancelled.
  • Remote logoff sent to an unavailable machine to apply a rule limit is performed anyway when the machine comes back online even if this rule limit is no longer relevent at that time.
  • The IIS agent (ISAPI filter) is not compatible with the command line registration (REGSVR32).
  • The IIS agent (HttpModule) is not compatible with the command line registration (REGSVR32).
  • The Popup notification column from the Protected accounts view displays an incorrect status.
  • Permissions set on the IIS agent log file and the IIS agent Registry key are incorrect.
  • When the UserLock help file is opened in full screen mode, it's impossible to switch between the help file and the UserLock console.
  • The UserLock IIS agent may crash its Application Pool when several Application Pools are running with different identities.
  • It is not possible to save the result of a report executed in Raw data mode through the menu File/Save... of the Windows console.
  • It's not possible to apply changes after having modified Logon events selection of the feature "Warn users in real time of all connection events involving their credentials".
  • Restarting a computer without open session from the Machine view of the Web Console fails and displays an error.
  • The message displayed on the Notification sent for Logon denied by Userlock is not enough understandable.
  • Filter criteria from the Agent distribution view in the Web Console contain an unknown agent type.
  • Column contents overlap in the Session history view of the Web Console when using small screens.
  • Wi-Fi / VPN session names displayed in Protected Accounts Notifications are not as user friendly as those displayed in UserLock consoles.
  • Webconsole, machine view, reboot a workstation with a session doesn't work
  • It is not possible to schedule a SQL query
  • After an upgrade the reporter still tries to access the default database at the old location
  • The User status breakdown graph is taking a long time to be displayed in the Web Console Dashboard.
  • An invalid service impersonation account generates many events from the UserLock service still trying to use it.
  • The shutdown action is immediately initiated without warning previously users.
  • The User session view option "Display AD tree" remains enabled after disabling it and refreshing the view.
  • User statistics displayed on the Web Console Dashboard are inconsistent in some specific cases.
  • IIS logons denied by Windows on a Web application configured in Basic authentication mode generate a second attempt of insertion in the database.
  • Userlock Service cannot start when the Userlock.log log file contains only space characters.
  • Local account names are not listed in the User sessions view in display mode by computers.
  • The LogonInfo and Status fields are not synchronized between the Backup and the Primary server.
  • The User status section and the license section of the Backup server are editable.
  • In the Web Console, applying the filter "None" in the User sessions view generates an error.
  • In the Web Console, switching the number of lines displayed in the User sessions and Agent distribution view can cause an error message.
  • The Welcome message is not displaying the reason of a UserLock denied logon.

UserLock 7.01 Date de sortie: 10 mars 2014

Amélioration

  • Le délai d'initialisation des threads dans le service a été augmenté a 20 s pour éviter un échec de démarrage dans certains cas.

Résolu

  • Avec l'interface web, dans la section Général des propriétés du serveur "Fermeture des sessions excédantes" et "Ordre des sessions excédantes" étaient inversés.
  • Avec l'interface web, dans la section Serveur de terminal indépendant des propriétés du serveur et dans la section Agent des propriétés Distribution de l'agent, "Toujours" et "Jamais" étaient inversés dans le paramètre Rejoindre une session existante.
  • Problème de contenu de cellule dans la vue des sessions utilisateur sur les serveur de sauvegarde avec la console web.
  • Une exception dans l'interface web lors de l'affichage des propriétés d'un serveur de sauvegarde.
  • Une exception lors de l'affichage d'un rapport dans la console web et qu'aucun groupe protégé n'était défini.
  • Le verrouillage et la fermeture de sessions non interactives était tenté alors que ce n'est pas possible.
  • La possibilité d'afficher les nom des utilisateurs dans le SysLocator ne fonctionnait pas.
  • Si l'évaluation de UserLock avait expirée et le service était redémarré il n'était plus possible d'administrer UserLock (erreur concernant l'expiration de la maintenance) et de saisir une nouvelle clé d'activation.
  • Si le compte de service UserLock n'avait pas les droits d'administrations sur le serveur la librairie de messages pour l'observateur d'événement ne pouvait pas être enregistré.

UserLock 7.0 Date de sortie: 18 juin 2013

Added

  • Nouveaux commandlet PowerShell pour les sessions et les ordinateurs.
  • Documentation des commandlets PowerShell de UserLock.
  • Des commandes d'ordinateurs peuvent être lancé depuis la console UserLock.
  • UserLock peut-être managé par PowerShell.
  • Une documentation complète de l'API est disponible.
  • Une nouvelle interface au look Windows server 2012.
  • Une nouvelle page de bienvenue avec des informations synthétiques sur UserLock.
  • L'interface web supporte désormais également le navigateur Chrome en plus de FireFox et Internet Explorer.
  • La localisation des machines peut désormais être spécifiée dans un fichier CSV avec les colonnes Nom de l'ordinateur, l'immeuble et la salle.
  • Les rapports peuvent être filtrés en fonction des membres d'un groupe protégé.
  • Les rapports peuvent être filtrés en fonction de plusieurs machines ou utilisateurs séparés par une virgule.

Amélioration

  • L'installation du module PowerShell. Le module peut être chargé sans spécifier son chemin et il est chargé automatiquement avec PowerShell 3.0.
  • Des commandlets PowerShell.
  • La documentation des commandlets PowerShell.
  • Le fichier d'aide en anglais.

Résolu

  • Il n'était pas possible de supprimer des comptes protégés depuis l'interface web.
  • Sur Windows 2012 le pool d'application IIS UserLockAppPool n'était pas enregistré pour utiliser le framework .NET 2.
  • L'entête des colonnes manquait dans le rapport des sessions utilisateur (par machine et par utilisateur).
  • Un problème de disposition lorsque les propriétés d'un compte protégé étaient affichées dans certains navigateurs web.
  • Avec l'interface web les buttons d'actions (fermeture, verrouillage, redémarrage, installation, ...) devenaient inactifs après un changement de page dans les Sessions utilisateur et dans Distribution de l'agent.
  • Une console à distance ou la console web n'affichaient pas le nombre d'ordinateurs dans le fichier CSV de localisation.
  • Le filtre prédéfini sélectionné dans la vue des sessions et la vue de distribution de l'agent n'était pas coché.

UserLock 6.0 Date de sortie: 16 juin 2011

Ajout

  • Ligne de commande de l'agent permettant de mettre les scripts de logon en attente de l'autorisation avant de s'exécuter.
  • Traduction des messages qui s'affichent aux utilisateurs en hollandais (grâce à un client UserLock de Hollande).
  • Documentation de toutes les nouvelles fonctionnalités.
  • Affichage des informations de quota de temps dans le message de bienvenue (attention ! cela n'est vrai que pour une nouvelle installation de UserLock. Dans le cas d'une mise à jour, vous devez ajouter la variable dynamique "%quotainformation%" au message de bienvenue).
  • Ajout d'une variable permettant de définir la durée de notification de fermeture de session une fois le quota de temps épuisé.
  • Nouveaux rapports dans la console d'administration Web : "Evolution du nombre de sessions", "Historique des sessions RAS / VPN", "Statistiques des sessions RAS / VPN".
  • Audit et affichage des sessions avec des comptes locaux.
  • Protection des sessions IIS authentifiées (Ex : control des accès à Outlook web Access ou à un intranet).
  • Possibilité de définir des quotas journaliers/hebdomadaires/mensuels/trimestriels/semestriels et annuels.
  • Nouveau type de compte protégé : OU (Unité organisationnelle) utilisateurs (en plus des utilisateurs protégés et groupes protégés).
  • Possibilité de définir des restrictions de poste de travail avec des OUs d’ordinateurs.
  • Possibilité de mettre plusieurs OUs dans la zone protégée (actuellement on ne peut en mettre qu’une seule).
  • Rapports spécialisés pour les sessions RAS (Historique, évolution, statistique).
  • Rapport permettant d’afficher la progression du nombre total de sessions ouvertes.
  • Nouvelle technologie de popup pour remplacer la technologie de popup du service Microsoft messenger devenue obsolète.
  • Possibilité d'envoyer des messages aux utilisateurs (dans un popup) a partir de la console UserLock.
  • Nouvelles propriétés pour le serveur UserLock afin de fermer automatiquement les sessions excédantes (la plus ancienne ou la plus récente d'abord).
  • Nouvelle propriété pour le serveur UserLock afin de reporter le temps des quotas inutilisé.
  • La vue "Distribution de l’agent" dispose maintenant d’une nouvelle colonne "Dernier succès" affichant la date de succès de la dernière vérification de l’agent.

Amélioration

  • Pour les sessions terminal UserLock considère maintenant l'adresse IP public du terminal plutôt que l'adresse IP privée.
  • Un compte AD qui n'existe plus est supprimé de la base des sessions après 2 jours si cet utilisateur n'a pas de session. Si ce compte a des sessions il sera supprimé après 30 jours.
  • Un message différent est affiché à l'utilisateur lorsque la session est fermée en raison d'un temps maximum de session (SESSION_LENGTH_LOGOFF) et en raison d'un temps maximum de session verrouillée (SESSION_LOCKLENGTH_LOGOFF).
  • Dans la vue "Comptes protégés" de la console d'administration Windows, "Ajouter une Unité Organisationnelle" (OU) propose désormais un champ éditable qui permet de saisir manuellement le nom d'une OU sans connexion à Active Directory.
  • Dans le message de bienvenue, si au moins une connexion refusée est listée, alors une icône d'avertissement est affichée au lieu de celle d'information.
  • UserLock ne génère plus d'évènements d'erreur pour une session fantôme au-delà des restrictions de temps.
  • UserLock peux désormais afficher dans distribution de l'agent des machines de domaines extérieurs à la forêt AD locale.
  • Si UserLock est mis à jour, alors la console Web sera mise à jour également.
  • Ergonomie des deux consoles d'administration.
  • Titres des colonnes dans la vue "Temps consommé" des sessions utilisateur.
  • L'arborescence AD dans la vue par utilisateur des sessions regroupe les comptes locaux dans le noeud "Comptes Locaux".
  • Mise à jour des icônes pour les sessions IIS dans les rapports.
  • Changement de l'unité pour les rapports "Statistiques des sessions RAS / VPN" (sauf pour le type de graphique "Nombre de sessions"): l'unité en ordonnée est maintenant l'heure.
  • Le compte de service UserLock de requiert plus les droits d'administration sur le serveur lui-même.
  • Si beaucoup de comptes protégés sont configurés (plus de 100), la vue des comptes protégés s'affiche plus rapidement.
  • La synchronisation des comptes protégés avec le serveur de sauvegarde a été a été optimisée (uniquement les comptes protégés modifiés sont synchronisés).
  • Le service UserLock démarre plus rapidement en cas de large environnement AD ou de mauvaise connectivité avec les controlleurs de domaine.
  • Les noms d'utilisateurs sont mis à jour toutes les 24 heures.

Résolu

  • La console web échouait à cause de problèmes de cryptage même quand le cryptage n'était pas nécessaire.
  • Le journal de l'agent IIS augmentait en taille sans limitation.
  • Les noms d'utilisateurs et les comptes ne correspondaient pas dans la vue des sessions dans certains rares cas.
  • Lorsqu'un compte protégé ne pouvait pas être résolu à la création celui-ci restait dans cet état (SID affiché dans la console) même si la résolution était possible après coup.
  • Les statistiques affichées à la fin du rapport d'historique des sessions étaient fausses dans certain cas.
  • Les clients terminaux Mac généraient des erreurs sur le serveur UserLock.
  • La vue distribution de l'agent pouvait crasher lorsqu'elle était filtrée par le dernier statut de vérification.
  • L'agent pouvait crasher lorsqu'il y avait trop d'adresses IP affectées à la machine.
  • La limite des sessions IIS dans les comptes protégés était perdue après un redémarrage du service.
  • Le message de refus pour les sessions IIS affichait une chaîne de caractères non personnalisable.
  • Dans certains cas un compte avec un SID inconnu empêchait UserLock de récupérer les noms affichés des comptes utilisateurs.
  • Sur les serveurs Windows 2008/2008 R2 la console UserLock ne demandait pas l'élévation de privilège.
  • Dans l'outil de configuration web le bouton Mise à jour n'était pas grisé lorsque la configuration de la console web était à jour.
  • Bugs dans les rapports lorsqu'ils étaient utilisés avec une base de données MySQL.
  • Bugs dans les rapports lorsqu'ils étaient lancés à partir de l'interface web.
  • Bugs lorsqu'on décrémentait le temps consommé et que UserLock était installé en français.
  • Les sessions IIS ne pouvaient pas être réinitialisées dans certains cas.
  • Le temps consommé pour les quotas n'était pas maintenu sur le serveur de sauvegarde.
  • Il n'était pas possible de réduire les temps consommé de plus que la période de quota. Même problème pour les informations de quota affichées dans le message de bienvenue.
  • Il n'était pas possible de réinitialiser des sessions avec des comptes locaux.
  • La fermeture de la précédente session ne fonctionnait pas sous Windows 2000.
  • Si un masque de localisation était spécifié pour extraire la salle et l'immeuble du nom de la machine, de fausses sessions étaient affichées dans la vue des sessions par machines.
  • L'application des paramètres serveur dans la console web générait le message "The specified cast is not valid".
  • L'agent UserLock pouvait consommer 100 % de temps CPU sur une thread sur les ordinateurs avec de nombreuses connexions refusées par Windows (ex. serveur de terminal public attaqué par des bots).
  • Si la longueur du nom de la zone excédait 512 caractères (beaucoup d'OUs avec des noms longs) le serveur UserLock basculait automatiquement vers le domaine complet comme zone protégée.
  • Si les sessions IIS étaient contrôlées dans un pool d'application IIS avec un double point dans le nom, l'affichage de la vue des sessions utilisateur générait une exception.
  • Problème dans les consoles d'administration si la zone protégée contenait plusieurs Unités Organisationnelles (OU) : seule la première OU était affichée dans les propriétés du serveur UserLock.
  • Problème dans la vue "Comptes protégés" de la console d'administration Web, si on activait le filtre automatique : "Propriétés" était ajouté à l'entête de filtre et une page d'erreur était affichée si on cliquait dessus.
  • Problème dans la vue "Sessions utilisateur" de la console d'administration Web, si on activait le filtre automatique : "Quotas" était ajouté à l'entête de filtre et une page d'erreur était affichée si le filtre ne correspondait à aucune donnée ou si "Sessions utilisateur" ne contenait rien.
  • Problème dans la console d'administration Web: l'initialisation du cryptage est maintenant exécutée avec le compte du pool d'applications pour éviter des problèmes de droits avec des comptes utilisateurs.
  • Le "Nom affiché" d'un compte protégé n'était pas résolu après le redémarrage du service UserLock.
  • Si le nom NetBIOS de domaine était différent du nom AD alors les restrictions des comptes protégés de type OU n'étaient pas appliquées.
  • Si plusieurs domaines étaient sélectionnés dans la zone protégée par UserLock, seul le premier était protégé par UserLock.
  • Il n'était pas possible d'ajouter des ordinateurs dans les restrictions de poste de travail en recherchant dans l'Active Directory.
  • Dans l'interface web il n'était pas possible d'ajouter une plage horaire pour le jeudi uniquement.
  • Uniquement pour les environnements multi-forêts : si le DC d'un domaine était indisponible pendant le redémarrage du service UserLock, alors tous les comptes de ce domaine étaient remplacés par leur SID.
  • Si un compte protégé était renommé et le service UserLock redémarré, alors il n'était plus possible de consulter les propriétés de ce compte protégé.
  • Le cache de IE9 empêchait l'affichage de rapports à jour à partir de la console web.
  • Problème dans la console d'administration Windows en anglais : les champs "Maximum session length" et "Maximum locked time" étaient inversés.
  • Problème lors de l'envoi par l'agent Station au serveur UserLock des événements de sessions non notifiés : les événements de sessions avec des comptes locaux n'étaient pas correctement enregistrés.
  • Problèmes d'affichage des comptes protégés dans les consoles d'administration dans le cas où le champ "Nom complet", "Nom canonique", "Destinataire de l'Email" ou "Destinataire du message réseau" contenait des points-virgules.
  • Problème dans la gestion du comptage de licence : les sessions avec des comptes locaux étaient comptées dans le comptage de licence.
  • Les noms des membres d'une Unité Organisationnelle extérieure au domaine étaient préfixés par le domaine protégé par UserLock au lieu du bon nom de domaine.
  • Problèmes lors d'ajout de quotas de temps à un compte protégé.
  • Problème lors de l'affichage de l'historique des sessions par clic droit sur un compte local.
  • L'arborescence AD des "Sessions utilisateur" garde en mémoire le dernier élément sélectionné pour l'afficher de nouveau lors d'un accès ultérieur.
  • Calcul des colonnes "Durée moyenne par jour ouvrable" et "Durée moyenne par semaine" sur le rapport "Statistiques des sessions RAS / VPN".
  • Problèmes lors de la modification des restrictions d'un compte protégé sans validation entre les modifications.
  • Problèmes lors de l'affichage du temps consommé et des quotas de temps effectifs depuis "Sessions utilisateur".

UserLock 5.5 Released: December 4th, 2009

Added

  • The agent can now notify a lock notification when a password protected screen saver starts (In agent distribution properties select "Consider screen saver time as locked time"). In previous version the lock event was notified only when the session was resumed and the locked notice displayed. (Agent update needed).
  • UserLock can now logoff automatically a session that is locked for more than a specified time. In concerned protected accounts select "Maximum locked time" and specify a number of minutes. Combined with the ability to notify a lock event when the screen saver starts, sessions can be closed after a specified time of inactivity. (Agent update needed).
  • Ability to power off computers from the console.
  • Ability to deploy agent settings with group policies. This is useful if you already deploy the agent with the msi package through group policies. The .adm file is installed in the UserLock program folder. (Agent update needed).

Improved

  • Recovery of the console if the layout or the default UI settings become corrupted.
  • The agent automatically increases the retry time interval when trying to send unsubmitted logon events to the UserLock server in order to avoid overloading the server after a long time of unavailability.
  • Logoff in reason of time restrictions of many sessions on terminal servers.
  • Better error handling when scheduling reports.
  • An infinite loop protection when a protected AD global group was member of itself in order to avoid that the service hangs in this situation.
  • The Windows console has been optimized to manage more than 10 000 users and more than 10 000 computers.
  • The GINA chaining registry value OldGinaDll has been renamed to UlOrigGinaDll to avoid a conflict with Avatier Password Station that uses the same value. Upgraded agents will still use the value OldGinalDll for compatibility with old installations.
  • The UserLock GINA now exports WlxReconnectNotify and WlxDisconnectNotify functions in order to improve compatibility with other GINAs.
  • Ability to use a large number of protected accounts (up to 10000).
  • The query of the session history report was optimized in order to display the report faster.
  • The session history report can now display independently logons denied by UserLock and logons denied by Windows (e.g. Invalid password).

Fixed

  • Customized logo header and footer were not displayed when a report was generated from the web interface.
  • When displaying the session history of a user/computer from the web interface by clicking on the user/computer link, denied logons were not include in the report.
  • The NPS agent was not writing in its log file in Windows 2008/2008 R2. On these versions of Windows the path of the log file is now c:\ProgramData\ISDecisions\UserLock\UlIasAgent.csv.
  • Some bugs in the NPS agent on Windows 2008/2008 R2.
  • The NPS agent was breaking down the computer authentication for Wi-Fi access points.
  • A compatibility problem with NComputing terminal servers.
  • Email notification were not always sent during the logoff of a member of a protected group.
  • If sessions were closed or opened since the last web console refresh a logoff/lock/reset from the web console may be applied on a wrong session.
  • In some cases, when the UserLock primary service stopped, some communication pipes remained open and agents did not failover on the backup server.
  • A problem when displaying reports from a MySQL database.
  • The configuration tree did sometimes not show up any longer and the console layout needed to be reset.
  • Protected account settings for remote access sessions were not synchronized with the backup server.
  • In the web interface, the hour restrictions mode was not reflecting actual settings on the server and changes did not take effect.
  • If an exception occurred inside the service, a memory leak might have occurred in some cases.
  • Every minute, the service has been generating an unneeded workload in the lsass.exe process and could slow down logons controlled by UserLock.
  • UserLock performance counters were not working from a terminal session.
  • UserLock performance counters did not work in a counter log because of security issues except if the account of the service "Performance logs and alerts" was switched to localsystem.
  • The backup server was sometimes incorrectly displaying some sessions as orphaned.
  • The UserLock service was sometimes hanging while stopping.
  • In hour restrictions, times were not always displayed in US format if US culture was defined.
  • For Windows Vista/7 workstations if the logoff could not be notified to the UserLock server, the previous session was not automatically cleaned when a new session was opened on the workstation.
  • UserLock was unable to get the member list of nested groups from another domain.
  • Editing a time frame was resetting concerned session types to interactive.
  • Editing a workstation restriction or a custom session limit was also resetting concerned session types to interactive in the web console.
  • A compatibility issue with Kbox on Windows Vista/7 computers.
  • Modifying an hour or workstation restriction and applying it several times was duplicating it.
  • A parenthesis "(" or ")" in a user display name was generating an exception in the UserLock console.
  • The SysLocator was crashing when some Vista workstations had more than one session.
  • If a deleted account was still listed in UserLock access permissions the console was unable to display server properties.
  • The Session statistics report did not show up in the web console and was not generated when scheduled.
  • The UserLock agent service on Windows Vista/2008/Seven/2008 R2 was in some case starting too slowly disallowing to control the first session after a boot if the user was very fast to enter his password. (Agent uninstallation and reinstallation needed).
  • When new settings of a protected account were applied several times it could duplicate workstation restrictions, time frames or custom limits.
  • Some bugs in the session history report.
  • When the number of user sessions was exceeding the license no error events were generated to warn the administrator.
  • In some case an exception was occurring when displaying the dashboard or sessions by machine.
  • Applying new properties on the primary server with the web interface was unregistering the backup server and sessions were no longer synchronized.
  • When a protected account was created in the web console with a different case than the AD, displaying immediately properties was generating an exception.
  • The Windows console was allowing removing and adding protected accounts on the backup server even that a UserLock backup server is read only.

UserLock 5.0 Released: May 29th, 2009

Added

  • The RemoteApp feature of Windows 2008 terminal services is now supported.
  • Citrix XenApp is now supported as terminal server.
  • MySQL databases are now supported through the ODBC driver (use the ODBC wizard to generate the connection string).
  • A new dashboard allowing displaying statistics in charts.
  • A new server report to display a printable version of the dashboard.
  • Protection of RAS sessions on a RRAS server or on a hardware router with RADIUS authentication on a NPS server.
  • Extended filter/sort and group capabilities.
  • Generation of reports can easily be scheduled without writing command lines. Reports can also be automatically sent to an E-mail recipient.

Improved

  • The UserLock console no longer requires administrative rights.
  • The UserLock console displays now a message when the user is not allowed to administrate UserLock.
  • The license protection system was enabled again. Current customers can install and use this version if they have an up to date maintenance.
  • The user load routine when the UserLock service starts and more than 10000 users are in the session database.
  • The SysLocator was translated in French.
  • Web console keeps user settings (filter, view mode, lines per page ...).
  • French version is available.
  • SysLocator has been updated to a new version (you need to upgrade the IIS virtual folder with the Web configuration tool).
  • Brand-new tabbed interface (Web & Windows).
  • UserLock Reporter is directly integrated into the console.
  • UserLock Logon Cleaner is directly integrated in the console.
  • UserLock Scheduler is directly integrated into the console.
  • The Active Directory tree can be displayed for the Agent Distribution view and the Session view by computers.
  • UserLock reports now use a new report engine and a new report design.
  • For a comprehensive list of all new features please read the following document: What's New in UserLock 5

Fixed

  • A slash (/) or a colon (:) in a user display name was generating an exception in the UserLock console.
  • The error management while uninstalling an agent was not displaying an intelligible message in case of error (Unexpected error while executing the command).
  • A bug in the AD tree if a domain contained several OUs with the same short name.
  • The context menu on tabs was not working.
  • The Windows Vista/2008 agent was launching the 32 bits UserInit.exe executable on 64 bits machines.
  • Some column names in the raw data of the Session statistics report were in French.
  • In some cases the agent distribution computer list was empty and an error event was generated in the server application log (source UL2000) with "Invalid parameter detected" in the description.
  • It is possible again to add local groups and local users in the UserLock permissions.
  • An access violation exception (Event id 700) in the UserLock service when a user was removed from the AD but a session was still registered in UserLock for him.
  • After changing the connection string in the server properties the create table button did not work if you did not apply the new settings before (Error: "Failed to create the table! [Microsoft][ODBC Driver Manager] Function sequence error").
  • A problem disallowing the agent to start on Windows 7.
  • Resetting RAS sessions is now possible.
  • Hyperlink allowing displaying the session history on a user is restored in the web console.
  • AD tree is correctly displayed in the Windows console if more than one domain are in the protected network zone.
  • AD tree is now kept after refreshing the agent distribution view in the Web console.
  • Database reports can use again wildcard in the following field filters: user name, computer name, client name, client address.
  • Various corrections of interface texts.

UserLock 4.0 Released: June 18th, 2007

Added

  • Windows Server 2008 compatibility.
  • Ability to monitor logon denied by Windows (invalid password). These events can be displayed to users in the welcome message. Audit logon events policy needs to be enabled for failure events for all protected computers (doable through group policies).
  • The new license system was integrated. Current customers with an up to date maintenance can already ask for their UserLock 4 license key
  • Ability to print the pages User sessions and Agent distribution from the web console.
  • Ability to define working hours for protected users.
  • Ability to define maximum session time for protected users.
  • Ability to define maximum group limits.
  • The administrator will have the possibility to enable an option allowing users to remotely close their previous session as they logon to another computer.
  • Ability to define access rights to the UserLock administration console.
  • Ability to breakdown the computer name syntax into a readable format in order to locate computers (building/room).
  • Ability to customize the console’s User sessions view.
  • The web console can display the user session and agent distribution result in paged mode.
  • Multi selection in the User sessions view of the MMC console.
  • Ability to customize the agent distribution view.
  • The user display name is now displayed in the user sessions view of the console and in reports instead of the user account name.
  • Terminal session connection/disconnection tracking.
  • Ability to enable a public Web interface (SysLocator) allowing users to locate free computers.
  • Ability to automatically generate reports at regular intervals.
  • Two new reports (printable version of what you see in the console) Agent Distribution and User sessions In order to avoid any misunderstanding the old “User sessions report” was renamed into “Session history”.
  • Ability to display reports from the Web console.
  • The UserLock agent will send its status at each computer startup.
  • The agent will notify to the server any computer crashes to fix the session database.
  • The UserLock agent will regularly try to send unnotified logon events to the server.
  • Support of Windows Vista.
  • This version will display a warning message to users saying that this beta version should only be installed on a test environment. If you want to install this beta version on your production environment please enroll to the UserLock 4 beta program by sending a mail to support@isdecisions.com This beta version will expire end July.

Improved

  • Ability to use a localization mask with a naming convention that identifies building with letters (A,B,C,...). New wildcards to be used in the mask are: * = Building, % = Room, ? = Machine. Localization masks using the previous system will still work.
  • UserLock service dependency to the workstation service.
  • The help file was updated. The online version is available here.
  • Button sizes in the web console.
  • Some internal improvements in the UserLock service.
  • All executables including the installation package are now signed.
  • During a migration from UserLock 3 if the group UserLock Admins exists, UserLock administration rights are automatically added for this group.

Fixed

  • Some issues with Windows Vista and Windows Server 2008.
  • Service wasn't stopping properly in case of a server shutdown/reboot.
  • If a maximum session time was set immediately after the installation of UserLock all already opened user sessions could be logged off in some specific cases.
  • A potential deadlock in the UserLock service.
  • When trying to uninstall the agent from a computer without the agent installed a wrong error message was displayed.
  • The previous session logoff dialog was not fully translated in English.
  • A memory leak in the backup server.
  • A session with a local account was sending connect/disconnect notification to the UserLock server leading to an error event.
  • In some cases the web interface was unable to display reports.
  • The welcome message wasn't displayed after the logoff of a previous session.
  • If the logon rate was too high, the transaction log (ulagent.log) was not regularly cleaned.
  • If a protected account was based on a universal group, UserLock wasn't including members of other domains in the list of concerned users.
  • If a UserLock admin had only the right to administrate sessions he was unable to display reports because he was not allowed to retrieve the database connection string.
  • Internal exceptions when the user session list was empty.
  • Crash of the session statistics report when the database was empty.
  • The ascending/descending order radio buttons were not working correctly in the session statistics report.
  • Some temporary files were not cleaned while generating report in a batch or in a scheduled task.
  • When disconnecting a locked terminal session the UserLock service was sometimes thinking that the session was still active.
  • The permissions tab and the user sessions by computer view were not grayed on backup servers.
  • A bug was making crash the MMC console in some cases while refreshing the view.
  • A bug in hours management when a session needed to be closed at 12:00 AM.
  • A handle leak while sending E-mail notifications.
  • Two memory leaks in the UserLock service.
  • Removed: The beta warning.
  • A bug in the web console while displaying sessions by user.
  • A bug leading to users with empty names.
  • A bug while deploying the agent on Windows Vista computers.
  • Important! Existing customers with an up to date maintenance need to ask for their new UserLock 4 license key before installing this new version on their network.

UserLock 3.5 Released: September 21st, 2005

Added

  • Support of the beta version of the new Windows Vista agent that can be downloaded from the following link: https://cdn.isdecisions.com/download/ULAgentVista.msi
  • You need to install manually the msi file on each Windows Vista machine to protect. You will get more information about the setup in the following document: https://cdn.isdecisions.com/download/ULAgentVista.pdf
  • Abitity to reboot computers through the MMC administration console (Already available in the web console).
  • Support of x64 workstations and terminal servers.
  • The UserLock server can be installed on x64 servers in the following modes: Primary server, backup server and relay server. The standalone terminal server mode is currently not supported.
  • Information: The x64 version of the agent is numbered 3.0.7.37 (instead of 3.0.7.35 for the x86 version).
  • New! A web interface in order to administrate UserLock through a web browser. The web interface is similar to the MMC based administration console.
  • New features only available in the web interfaceAbility to Logoff/Lock/reset several sessions at a time.
  • Ability to reboot workstations.
  • Ability to only display users with an active session.
  • Features not available in the web interface (only available in the MMC console)
  • Reports cannot be displayed.
  • The database wizard cannot be used to configure the database connection string.
  • You cannot browse for computers or user accounts.
  • You cannot start the Logon cleaner.
  • If IIS is not installed while installing UserLock you can configure the web interface later by starting the UserLock Web admin configuration tool from the start menu.

Improved

  • User accounts are now sorted by name in the web interface.
  • The user sessions report show up faster.
  • When a computer is removed from the domain with a session registered in UserLock the session is now automatically removed.
  • Important! For existing customers, the upgrade procedure was updated in the FAQ. Please take a look.

Fixed

  • The UserLock server no longer tries to deploy the GINA agent on Windows Vista computers. "OS not supported" is returned.
  • In some cases a communication problem was leading to display invalid characters.
  • In some rare cases the database insertion thread was crashing while connecting to the database.
  • The protected zone was not configured correctly for domains with a NetBIOS name different than the hostname. Symptoms: Just the server itself was displayed in agent distribution.
  • The web interface configuration tool was changing the authentication mode on the root folder of the IIS site instead of doing it directly on the UserLock virtual folder.
  • A UserLock service installed on a Windows 2003 SP1 server was unable to deploy the agent on 64 bits computers.
  • A problem while sending E-mail notifications to some specific SMTP servers.
  • The UserLock service was hanging in some cases (Error 0x0000079 in the console).
  • A few bugs in reports.
  • A bug in the LogonCleaner.
  • A bug in the communication between the web console and the UserLock server. The user sessions list or the agent distribution list were incomplete in some cases.
  • A bug in the policy.
  • In some rare cases if an internal exception occured in the UserLock service users were unable to logon (a service restart was needed to fix the problem).
  • A few bugs in the web console.
  • UserLock was not working correctly on domains with an '@' character in the NetBIOS name.
  • Citrix presentation server 4.0 register now its GINA in a different way and this was leading after an upgrade of both products to the unability to open ICA sessions (the logon hang).
  • The database insertion thread was crashing in some case disallowing any new insertions.
  • UserLock 3.5 beta 2 was unable to logoff/lock users with the administration console.
  • Database connection string changes through the web interface were not applied immediately.
  • The 404 web page was not correctly registered in the IIS virtual folder.

UserLock 3.0 Released: March 15th, 2004

Added

  • Ability to display a welcome message to the user with information about the last logon. You can configure this in protected accounts. You need to deploy the new agent for the feature.
  • In the User sessions report. The ability to filter computers with wildcards (*,?). For example to only display the report for room (example ROOM10*).
  • The User sessions report can display the computer occupation percent during the report period and you can also specify the total number of computers for the calculation.
  • Ability to only display user sessions outside working hours in the User sessions report.
  • Ability to group logons by user, domain, computer, client name or client address in the User sessions report.
  • The Logon Cleaner allowing you to regularly delete old logons in the UserLock database to save disk space. You can schedule the logon cleaning.
  • Ability to specify a computer name (instead of selecting the computer in the browser) in client restrictions.
  • Abiliy to import automatically at the first service start-up settings of a previously installed copy of Userlock 2.x (except deployment settings).
  • Error events for helping to understand problems during synchronization, notifications, database insertions.
  • Ability to protect terminal sessions. RDP sessions (Microsoft) and ICA sessions (Citrix).
  • Ability to protect standalone Terminal servers in a worgroup (using local accounts).
  • Backup servers (one for each primary server).
  • Ability to protect several domains with one primary server.
  • Ability to protect only 1 organizational unit in a AD domain.
  • Ability to log lock/unlock events on workstations.
  • Ability to insert logon/logoff/lock/unlock events in a ODBC database.
  • Two printable reports "User Sessions report", "User sessions statistics".
  • Regular check on all workstations for unknown sessions.
  • Ability to logoff users in the UserLock console.

Improved

  • If the service is unable to retrieve the computer lists from the network zone an error event is inserted only if the problem occurs during more than 30 min (e.g. DC unavailable).
  • Error handling while sending E-mail notifications.
  • If the global catalog is too big the configuration wizard list only OUs in the local domain.
  • AD tree is displayed faster in the Configuration wizard.
  • The service loads the computer list faster from organizational units.
  • During an administrative logoff or lock if the session was not found the session is removed from the database.
  • Auto reconnection to the database after a connection failure.
  • The deployer can detect IP conflicts to avoid the generation of events 3034:MRxSmb or 4:Kerberos (KRB_AP_ERR_MODIFIED). To enable this you need to create the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\CheckIpConflict = REG_DWORD:1 When done restart the UserLock service. The status of all faulty computers will display "Invalid address".
  • The export button for reports is available directly in the viewer.
  • Final version of the help file.
  • Access denied directly at the connection to the service if the user is not allowed to administrate UserLock.

Fixed

  • A memory leak in the service when the network zone was an Organization Unit.
  • If the UserLock service was installed on a Windows server 2003 the console launched reports on the default database with a wrong connection string.
  • In the User sessions report the total computer time was wrong in some cases.
  • Wild card characters were not working when using the User sessions report on a MS Access database.
  • The configuration wizard was unable to display organizational units on domain with a NetBIOS name different from the DNS name.
  • When the remote registry service was not running on workstations the agent status was false (Upgrading (Waiting for reboot)) and the deployer did not report any error while installing the agent.
  • Reports were printing the result on two US letter pages instead of one. If you still have the problem please contact us at suport@isdecisions.com.
  • A bug in the database insertion. An invalid character was added at the end of strings for some databases.
  • The uninstall link was not checking if agents were still deployed.
  • A bug while trying to send a test E-Mail or while specifying a new database connection string in the console (Unable to read data & Permanent error).
  • The deployer was unable to update the agent on computers with a third party GINA installed.
  • After registering the backup server client workstations were configured only after the next service start.
  • After a workstation reboot the UserLock server was not able to detect lost sessions on this workstation.
  • Client restrictions were not applied on terminal sessions during a session reconnection.
  • A communication problem between the console and the server occuring only in rare cases (Symptom: incomplete computer and session list).
  • Crash of the USerLock service if not enough swap file was available on the server.
  • For workstations with a NetBIOS name with more than 15 characters the logoff was sometimes locking up the workstation.
  • In evaluation mode the lock/unlock activity was not inserted in the database.
  • The export in CSV was not working in reports.
  • A bug that was leading in some cases to a service hang.
  • A bug in the logon policy.
  • When locking terminal sessions from the console the session was closed instead of disconnected.
  • When a logon was denied for a terminal session a logoff was generated immediately after.
  • Information: This version is compliant with the agent of all versions greater or equal than 2.4. However if a UserLock 2.xx agent is deployed you should upgrade the agent as soon as possible to get all new features working.

UserLock 2.6 Released: December 13th, 2002

Improved

  • Deleted account are automatically removed from the user sesssions report (when the service starts).
  • Accounts with a last logon time older than 1 month are automatically removed form the user sesssions report (when the service starts).
  • Use 10 times less CPU.
  • The agent doesn't display an error message during the logoff when the workstation is unplugged (for laptops).
  • Ability to display variables (%sessions%) in denied messages.
  • If a user has exceeded the number of allowed sessions UserLock check that he's really logged on all computers before giving a negative answer. This feature require to upgrade to the new agent.
  • The deployment thread ping all computers before trying to connect to them in order to avoid long timeouts. If needed the ping can be disabled with the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\NoPing = 1 (DWORD).
  • The multiselection is now allowed when adding restricted/allowed workstations (Windows 2000).

Fixed

  • A bug leading to a periodic service crash in some cases.
  • The logons can be ordered according the logon/logoff time in the console.
  • Displayed columns can now be customized in the console.
  • Bug in the policy settings.
  • Bug in the notifications. The already logged on computers were not displayed since the 2.6 version.