UserLock Documentation
UserLock Documentation
You are here: Reference > Agents > Desktop agent > Desktop agent manual installation

Desktop agent manual installation

The UserLock 'Desktop' agent is designed to audit, control and protect workstations, servers and terminal servers. This agent audits all interactive sessions activity on these machines and protects them by applying a user access control policy defined through protected account rules.

This 'Desktop' agent has to be installed on the machines and communicates with UserLock servers to control all open requests for interactive sessions.

The UserLock 'Desktop' agent can be installed through the UserLock console. However you can also deploy it manually through the following procedure which depends on the target operating systems. In all cases, defining the communication settings through specific registry values is required.

Install the agent manually

From Windows Vista / Windows Server 2008

The 'Desktop' agent is a Windows service defined to run as 'Local system'.

  1. Copy the Windows service file 'UlAgentExe.exe' from the UserLock installation folder of the Primary server (localized by default in 'C:\Program Files[ (x86)]\ISDecisions\UserLock') to the system folder of the target machine.
  2. Register the Windows service with the following command line (run as administrator):

    ULAgentExe.exe /SERVICE S
  3. Start the UserLock agent service using the 'Windows Services console' or the following command line (run as administrator):

    net start UlAgentService
  4. Add the name of the UserLock server in the machine registry.

No machine restart is required.

For Windows XP/2003/2003R2 machines

The 'Desktop' agent is a GINA DLL (Graphical Identification and Authentication Dynamic-Link Library).

  1. Copy the file named 'UlAgent.dll' from the UserLock installation folder of the Primary server (localized by default in 'C:\Program Files[ (x86)]\ISDecisions\UserLock') to the 'System32' directory of the target machines.
  2. Set the value 'GinaDLL' of the machine by entering the path of 'UlAgent.dll' (by default 'C:\Windows\System32\UlAgent.dll') for the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Administrative rights are required to set this value.
  3. Add the name of the UserLock server in the machine registry.
  4. Restart the machine to enable the 'Desktop' agent.

For Citrix terminal servers

Citrix metaframe uses its own GINA dll. On these servers you should specify the UserLock 'Desktop' agent name 'UlAgent.dll' in the registry value 'ctxGinaDll' (and not as previously in the value 'GinaDll'). This will allow the Citrix GINA to call the UserLock GINA and chains them correctly.

Then you must add the name of the UserLock server in the machine registry.

Once done, the machine needs to be restarted.

For machines with another GINA already installed

In this case the 'GinaDll' registry value already exists in the 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon key.

  1. Rename the existing value 'GinaDll' to 'OldGinaDll'.
  2. Create a new value named 'GinaDll' and define it with the path of the 'UlAgent.dll'.

    With this configuration the UserLock GINA will be in charge to call the second GINA and normally the two GINAs will be chained correctly.

    If the other GINA needs to be loaded first, you should leave the previous 'GinaDll' value and read the documentation for the relevant product to establish how this GINA can be chained with the UserLock GINA. In most cases, you will need to specify 'UlAgent.dll' in another registry value (like the 'ctxGinaDll' value of Citrix terminal servers).

  3. Add the name of the UserLock server in the machine registry.
  4. Once done, the machine needs to be restarted.

Please note:

Since 5.51, the GINA chaining registry value 'OldGinaDll' has been renamed to 'UlOrigGinaDll' to avoid a conflict with 'Avatier Password Station' software which was using the same UserLock value name. Upgraded agents will still use the value 'OldGinalDll' for compatibility with old installations.

Update the machine registry

Additionally the UserLock 'Desktop' communication settings need to be configured on all machines, whatever operating systems or technologies are involved:

  1. Open the registry on the machine.
  2. Browse to the key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
  3. Create the following values:

    - 'UserLockServer' (REG_SZ) containing the name of the UserLock Primary server.
    - 'UserLockServerBackup' (REG_SZ) containing the name of the UserLock Backup server.

Please note:

Without setting these registry values, agents can't use localized UserLock servers.

Uninstall the desktop agent

You can also uninstall the 'Desktop agent' manually.

On latest Windows OS (from Vista and Server 2008 to the latest ones)

Unregister the agent with the following command lines (run as administrator):

- NET STOP UlAgentService
- C:\Windows\SysWOW64\ULAgentExe.exe /SERVICE U
- c:\Windows\SysWOW64\ULAgentExe.exe /UNREGISTER

Once done, the agent will be completely uninstalled.

On Windows XP and Server 2003

Unregister the agent with the following command line (run as administrator):

regsvr32 /u C:\Windows\System32\ULAgent.dll

Once done the agent will be disabled but still loaded. To unload the agent, restart the computer.

To completely clean agent data (common to all Windows OS)

Run "RegEdit", browse the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" registry key, then delete:

  • All registry values beginning with "UserLock".
  • The "UserLock" sub key (ie the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserLock" registry key).