UserLock Documentation
UserLock Documentation
You are here: Reference > Agents > Desktop agent > Group Policy deployment

Group policy deployment

The UserLock 'Desktop' agent is designed to audit, control and protect workstations, servers and terminal servers. This agent audits all interactive sessions activity on these machines and protects them by applying a user access control policy defined through protected account rules.

This 'Desktop' agent has to be installed on the machines and communicates with UserLock servers to control all open requests for interactive sessions.

The UserLock 'Desktop' agent can be installed manually or automatically deployed through the UserLock console. However you can deploy the 'Desktop' agent through a third-party deployment solution or using Microsoft Group Policies. We provide MSI packages of the 'Desktop' agent for this purpose.

It is possible to also deploy agent settings and communication parameters through Microsoft Group Policies using a 'Group Policy Administrative Template' that we provide (compatible with Desktop Agents installed through the console, automatically, through MSI, manually...).

In the UserLock installation folder (by default 'c:\Program files[ (x86)]\ISDecisions\UserLock'), you will find this 'Group Policy Administrative template' named 'UserLock.adm'. Install the template in the 'Group policy' you want to use to deploy 'Desktop' agent settings and communication parameters.

Once the template has been added, you can go to 'Administrative templates' and display 'UserLock agent configuration' (use 'Classic administrative templates' in Windows Server 2008 and higher). You can then see the same agent settings as in the UserLock console and, additionally, communication settings allowing you to set the UserLock 'Primary server' name and the UserLock 'Backup server' name.

A setting configured through the group policy will override any value of the same setting already configured through the UserLock console and deployed by the service.

Double-click on the required setting to edit its properties.

On the affected computers, these Group Policy settings will be deployed to the "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ISDecisions\UserLock\Agent" registry key:

Please note that by default the UserLock desktop agent will consult the registry values registered in the "Winlogon" key. Sometimes, during certain Windows updates, the "Winlogon" key is reinitialized by Microsoft, consequently certain values of UserLock in the "Winlogon" key disappear.
The only workaround to correct this problem is to uninstall and reinstall the UserLock agent on machines (use automatic mode for faster results).
To prevent this problem, a GPO containing UserLock registry values can be deployed on machines in an alternative registry key (see example above). Please note also that the desktop agent will first read the registry values stored in the alternative key used by the GPO and then read those stored in the Winlogon key.