UserLock Documentation
UserLock Documentation
You are here: Reference > Console > Server administration > General

General

The 'General' section allows you to define rules regarding the number of concurrent sessions a user member of this 'protected account' can open on the network. The maximum number of sessions can be defined for every type of sessions that UserLock can monitor and control. Rules will be applied on machines in the 'Protected zone' having the required UserLock agent installed.

A 'protected account' is identified by its name corresponding to the Active Directory account selected when creating it, whether a user account, a group account or an organizational unit of user.

Number of initial access points allowed

Initial access point: 'Not configured' by default.

UserLock considers as initial access points any session which is a new point of entry in the network. If a user opens a session on their workstation, it will be considered as a new initial access point. From this session, if they open a terminal session, this session will be considered as a child session and not as an initial access point. On the other hand, if the same user opens another session from another machine, it will be considered as a new initial access point as this new session won't depend on an existing parent session.

You can limit the number of initial access points to ensure that a user will have only a certain number of points of entry in the network. For example, limiting the number of initial access points to one, will ensure that the user won't be able to open a session from a second location. If you don't limit the number of concurrent sessions allowed (see next section), the user will be able to open as many sessions as they want, but only if they are children/nested sessions of the same initial access point.

Number of concurrent sessions allowed

A specific Use case is available here to give you a step-by-step guide on how to limit simultaneous sessions by users.

  • Workstation sessions: 'Not configured' by default.
    You can define a maximum number of simultaneous workstations which a user can logon to by switching the option from its corresponding drop-down list to 'Limited to' and entering the desired value. Specifying '0' as the value will mean that a user member of this protected account is not authorized to open this type of session.
    To not limit the number of concurrent workstation sessions for a 'protected account', set the option to 'Unlimited'.
    When the option is set to 'Not configured', a user member of this 'protected account' will not have any limit defined except if they are also a member of another 'protected account' for which the limit has been set to a value different to 'Not configured'.
  • Terminal sessions: 'Not configured' by default.
    You can define a maximum number of terminal servers a user can simultaneously logon to by switching the option from its corresponding drop-down list to 'Limited to' and entering the desired value. Specifying '0' as the value will mean that a user member of this protected account is not authorized to open this type of session.
    To not limit the number of concurrent terminal server sessions for a 'protected account', set the option to 'Unlimited'.
    When the option is set to 'Not configured', a user member of this 'protected account' will not have any limit defined except if they are also a member of another 'protected account' for which the limit has been set to a value different to 'Not configured'.
  • Total interactive sessions: 'Not configured' by default.
    'Interactive sessions' group workstation and terminal sessions. The total of open interactive sessions corresponds to the sum of open workstation sessions plus terminal sessions. This limit can be defined additionally to workstation and terminal session limits.
    You can define a maximum total of simultaneous interactive sessions a user can logon to by switching the option from its corresponding drop-down list to 'Limited to' and entering the desired value. Specifying '0' as the value will mean that a user member of this protected account is not authorized to open either a workstation or terminal session.
    To not limit the maximum number of concurrent interactive sessions for a 'protected account', set the option to 'Unlimited'.
    When the option is set to 'Not configured', a user member of this 'protected account' will not have any limit defined except if they are also a member of another 'protected account' for which the limit has been set to a value different to 'Not configured'.

    Example: Limiting Interactive sessions to 3 maximum will means that a user member of this "Protected account":
    - can open 1 workstation session and 2 terminal sessions,
    - or can open 2 workstation sessions and 1 terminal session,
    - but can't open any new workstation or terminal session when the total of open interactive session is already equal to 3.
  • Wi-Fi/VPN sessions: 'Not configured' by default.
    You can define a maximum number of simultaneous Wi-Fi/VPN sessions a user can logon to by switching the option from its corresponding drop-down list to 'Limited to' and entering the desired value. Specifying '0' as the value will mean that a user member of this protected account is not authorized to open this type of session.
    To not limit the number of concurrent Wi-Fi/VPN sessions for a 'protected account', set the option to 'Unlimited'.
    When the option is set to 'Not configured', a user member of this 'protected account" will not have any limit defined except if they are also a member of another 'protected account' for which the limit has been set to a value different to 'Not configured'.
  • IIS sessions: 'Not configured' by default.
    You can define a maximum number of simultaneous IIS sessions a user can logon to by switching the option from its corresponding drop-down list to 'Limited to' and entering the desired value. Specifying '0' as the value will mean that a user member of this protected account is not authorized to open this type of session.
    To not limit the number of concurrent IIS sessions for a 'protected account', set the option to 'Unlimited'.
    When the option is set to 'Not configured', a user member of this 'protected account' will not have any limit defined except if they are also a member of another 'protected account' for which the limit has been set to a value different to 'Not configured'.

The limit of concurrent sessions allowed can be used in association with the limit of initial access points to define how many and which types of session a user can open from the same initial access point.

Advanced custom session limits

Clicking on the 'Edit' button will open the 'Advanced custom session limits' wizard allowing you to define the same limits but mixing session types. Working on the same model as individual limits (see the previous section, entitled 'Number of concurrent sessions allowed'), the difference this time is that you can select which types of session are taken in to account when calculating the total of authorized open sessions for a user member of this 'Protected account'.

The 'Number of advanced limits defined' displays the number of advanced rules already existing for this 'protected account'. If there any, they will be displayed in the wizard list.

The 'Advanced custom session limits' can be used in association with the limit of initial access points to define how many and which types of session a user can open from the same initial access point.

Additional options

  • Allow to logoff an existing session if the number of allowed sessions has already been reached: 'Not configured' by default.
    This option allows a user to logoff remotely open sessions from the machine where they are trying to open a new interactive session (workstation or terminal session) and for which they are denied as they have already reached the defined limit. Instead of physically returning to their previous machine just to initiate a logoff, they can launch the logoff remotely by selecting the target session and clicking on 'Logoff'. The number of open sessions will be decreased and they will be able to open a new one.
    Please note that this remote logoff is forced, meaning that any unsaved files will be lost.

    The name displayed for each blocking session depends on the value of the "SessionWithDescription" advanced setting:
    SessionWithDescriptionFalse (default value)True
    No RDP<target computer name><target computer name> (<Description AD field of the target computer>)
    RDP<target computer name>/<client computer name><target computer name>/<client computer name> (<Description AD field of the target computer>)
  • Allow only one unlocked interactive session: 'Not configured' by default.
    When enabled, a user will always have only one active interactive session open on the network at a time. Any others, will be automatically locked/disconnected by UserLock. Opening a new session or unlocking/reconnecting an existing session will lock every other session already open.
    Please note that this feature only supports interactive sessions, i.e. workstation and terminal sessions.
  • Display the welcome message: 'Not configured' by default.
    Enable the 'Welcome message' pop-up to at user logon to display information about previous connection events involving their credentials. This message can be personalized through the 'Message' view.
  • Warn users in real time of all connection events involving their credentials: 'Not configured' by default.
    When enabled users will receive a pop-up notification warning them every time their credentials are used on the network. You can select which events will trigger the warning notification for every session type that UserLock can monitor. This message can be personalized through the 'Message' view.

Please note: A user can be a member of several permanent and/or temporary protected accounts (user, group or organizational unit). UserLock determines which rules to apply based on certain priorities. These priorities are described in the section named 'Priority management'.