UserLock Documentation
UserLock Documentation

Version History

UserLock 11.0 Released: April 7th, 2021

What's new?

Added

  • UserLock SSO and MFA for Microsoft 365 and Cloud Applications.
  • Access Management for Microsoft 365 and Cloud Applications.
  • MFA for Microsoft IIS applications.
  • MFA recovery codes.
  • Enforce MFA for logins from any machine without a network connection.
  • The "Force MFA" option has been added in the "Logons without network connections" parameter: if this option is chosen, logons without network connections will be refused for users who have not connected with MFA and with network connection on the affected machine.
  • Alternatives methods for MFA.
  • HOTP for machines without network connection (YubiKey, Token2 ALU).
  • MFA now supports Token2 ALU (HOTP).
  • Using VPN with RADIUS Challenge for MFA.
  • UserLock Anywhere: A new on premise web application for UserLock’s agent/service communication. This allows the Desktop Agent to communicate with the server through the Internet via an IIS application. This will allow UserLock restrictions to continue to be enforced in the event the remote connection through VPN pipes fails.
  • The "Event timeline" report has been created.
  • The advanced setting "IpConsideredInside" has been created to list the IP addresses to be considered as inside the network (considered as private addresses). IPv4 ranges in 'ip/bits' format such as '192.168.1.0/24' are supported. This setting has a higher priority than the 'IpConsideredOutside' setting.
  • The "AdminActions" and "AdminActionResults" tables have been added to the UserLock database.
  • Portuguese translations for messages displayed to end users on Portuguese operating systems.

Added in 11.0.1

  • Disconnect and lock user sessions over the Internet. This new feature is based on UserLock AnyWhere (a web application for UserLock’s agent/service communication) and can be activated by configuring the new advanced setting "SessionsWithoutNetworkLogoffAgentInternet". This allows logon hours or time quotas to be respected; even if a computer is not connected to the corporate network.
  • The ability to configure the wait time of the user process during logon via the WinLogon registry value "UserLockLogonTimeout" (number of seconds, 60 by default).
  • UserInit registry values are now checked every minute.

Improved

  • Don't try to contact a server named "userlock" if server address is deployed (in WinLogon or GPO).

Fixed in 11.0.1

  • Form-based authentication does not work with the UserLock HTTP module agent.
  • The text displayed when the MFA fallback feature is disabled indicates that the configuration of a second method is required.
  • The installation may be blocked if the Visual Studio C ++ 2010 Redistributable is not found.

Fixed

  • Token2 configuration has been changed to continue to allow FIDO2 with HOTP.
  • When MFA is configured at every logon, a connection to a workstation suppresses the MFA prompt for the next connection to a server and vice versa.
  • In the configuration of protected accounts, the "Geolocation Restrictions" section is located between the "Hour restrictions" and "Time quotas" sections instead of being after "Time quotas".
  • In some cases, MFA is not requested when unlocking or reconnecting.
  • The MFA skip end date is not synchronized between Primary and Backup UserLock servers.
  • The IpConsideredOutside advanced setting is reset after restarting the UserLock service.

UserLock 10.2 Released: June 4th, 2020

What's new?

Added

  • Offline MFA for users not connected to the network. This new "Connections from offline machines" setting is available in the "General" section of the "Server Properties". You can choose "Always allow connections", "Ask for MFA" or "Always deny connections". This replaces the advanced setting "DenyInteractiveConnectionsIfUserLockInaccessible".
  • MFA now supports VPN sessions on an RRAS server authenticated by an NPS server (version 10.2 or higher of the NPS UserLock agent is required).
  • The advanced setting "IpConsideredOutside" has been created to list the IP addresses to be considered as outside the network (considered as proxy addresses). This can be useful for requesting the MFA for RDP sessions through a gateway, in which case you will need to add the gateway's IP address to this list.
  • The computer command "Remote Assistance" has been added in the 'Quick access panel' of the Agent Distribution view. To be able to use it, the "Remote Assistance" feature must be activated on the computer on which the console is installed (by default, this feature is activated on workstations and deactivated on servers) and "Offer remote Assistance" must be configured in domain policy and allowed in firewalls.
  • The UserLockSendGateway registry setting in the Desktop Agent. If activated, the address of the RDP gateway will be considered instead of the address of the client.

Improved

  • The settings in the "General" section of the "Agent distribution" properties are now also available in the "Agent distribution" section of the "Server properties".
  • The settings in the "Agent configuration" section of the "Agent distribution" properties are now also available in the "Advanced" section of the "Server properties" ("Consider screen saver time as locked time" is also in the "General" section of "Server properties").

Fixed in 10.2.1

  • The program used for administrative session logoff hangs when Citrix sessions are logged off.
  • Some messages are in English when UserLock is installed in French on an English Windows server.
  • An error occurs in the "Protected accounts" view if there is at least one temporary protected account and a click is made on the filter icon in the "Account status" column.

Fixed

  • The MFA dashboard does not work with an OLEDB read-only connection string of the default database.

UserLock 10.1 Released: March 25th, 2020

What's new?

Added

  • Geolocation restrictions.
  • MFA for YubiKey (HOTP programmable token).
  • Ability to apply MFA For all RDP connections or only those originating from outside of the network.
  • UserLock restrictions (including MFA) now also apply to interactive unlocking or reconnection events. If you prefer not to protect these events, configure the new advanced setting "ApplyRestrictionsOnUnlock" to False.
  • Native TLS 1.2 support for the UserLock database (insertion, reports) and e-mails (the SMTP server must support TLS 1.2).
  • The advanced setting "DenyInteractiveConnectionsIfUserLockInaccessible" has been created. If this option is activated and an interactive logon, unlocking or reconnection event is attempted on a computer on which the Desktop UserLock agent is installed, the connection will be refused.
  • Forms authentication is now managed for IIS sessions (new option available in the HTTP module, disabled by default).

Improved

  • MFA cache now uses the client IP address instead of the target name. This concerns the two following MFA modes only: "Every X days" and "After X days...". This is more secure and more intuitive for administrators with many remote desktop sessions (prompted once if they initiate their sessions from the same workstation).
  • MFA data is now kept if the UserLock service restarts.
  • "VPN" and "Wi-Fi" have been separated in the "User sessions" view and in the "Session history" and "Wi-Fi / VPN history" reports.

Fixed

  • The "DisableGhostSessionCheckingOnAgent" agent configuration setting is not available in "UserLock.adm".
  • For interactive connections only: When UserLock is inaccessible, an incorrect event type is written to "UlAgent.log" and then transmitted to the UserLock server, causing confusion in reports
  • Interactive logons denied by Active Directory for local user accounts are sent to the UserLock server, which rejects them, and then written to "ULAgent.log".
  • Session events with local accounts are not treated live by UserLock.
  • The edit box where to enter the MFA code is not displayed correctly in dialog boxes (QR code, YubiKey, MFA code) on computers where the size of text, apps and other items is not configured to 100% (which is generally the case by default on laptops).
  • When activating MFA for a protected account for every logon, MFA is not always requested.
  • The Active Directory "Description" field of the client computer accounts of the UserLock sessions is not correctly registered in the configuration files.
  • When the lock is deactivated and the screen saver is password protected, exiting the screen saver does not ask for a password, which makes the setting "Consider screen saver time as locked time the time of day" unreliable.
  • Wi-Fi sessions may not be displayed correctly in the "View by machines" mode of the "User sessions" view.
  • If MFA is enabled for at least one group and disabled for at least one other group, the effective value of MFA for a user who is a member of these groups is not correct.
  • If a VPN session is reconnected quickly after being disconnected, this session no longer appears in the "User sessions" view.
  • When a restriction applies after MFA configuration, no error message is displayed.

UserLock 10.0 Released: September 24th, 2019

What's new?

Added

  • Multi-factor authentication.

Improved

  • The server properties view is now accessible in the UserLock server tree.
  • Texts displayed after agent installations and uninstallations via the console have been improved.

Fixed

  • For errors with the 1000 EventID containing more than 100 characters, the last 100 characters are displayed instead of the first 100 characters.
  • The NPS UserLock agent log file reports incorrect errors after the NPS server has restarted, no sessions were in progress before this restart, and a new logon occurs.
  • The "Windows Version" field displayed in the diagnostic tool is not reliable for Windows Server 2012 R2, Windows 8.1 and later operating systems.
  • If group restrictions are configured as follows: "Unlimited", UserLock calculates the number of sessions in the group.
  • In the "Working hours by week" report, the week selector does not select the first week of the year.
  • Misleading title when entering the UserLock service impersonation account in the configuration wizard.
  • An exception occurs when you install the Web console on a site where there is only one https binding defined.
  • Some fields are bold in advanced settings even if they have the default value.
  • In report configuration, an empty SQL server name in the database settings causes an exception.
  • In case MySQL ODBC drivers are not installed, it is possible to choose MySQL.
  • VPN sessions that are linked to the NPS agent have a bad client name when the name of this client contains the "-" character.
  • If, for a Wi-Fi disconnection, the database field "Param5" (session time) is very large, then the generation of "Wi-Fi / VPN" reports fails and displays an error for an Access or MySQL database.
  • In the Wi-Fi / VPN history report, the Client address and Client name columns have incorrect names in English.
  • A warning is constantly inserted in the logs if Windows XP, Windows Server 2003 R2, or Windows Server 2003 computers are in the protected zone.
  • The "Web admin configuration" tool does not automatically install the dependent features.
  • The "Web admin configuration" tool does not automatically install the required "Static Content" feature.
  • When updating the list of computers in the UserLock protected network zone, if the new list is empty, an incorrect message is written to the logs.
  • When updating the list of computers in the UserLock protected network zone, if the new list contains far fewer computers, no error is written to the logs.
  • When computers are no longer in the network zone, they can reappear if they are in the check queue.

UserLock 9.8 Released: November 15th, 2018

What's new?

Added

  • New report "Unauthorized working hours".
  • In both UserLock consoles, the "How To Fix" column in the agent distribution data grid. This field contains "HTF00X" if the case of referenced error, otherwise it is empty.
  • In UserLockAPI, the "HowToFix" property in the "MachineStatus" class. This field contains "HTF00X" in case of referenced error, otherwise it is empty.

Improved

  • Added a progress bar for generating Working Hours reports and the Concurrent session history report.
  • For the "Working hours history" report, added an option "None" to the filter "Group by".

Fixed in 9.8.2

  • The UlTerm tool automatically disconnects if no command requiring UserLock permissions has been executed and no command has been sent within 30 seconds since the last command execution.
  • All tools using UlProto (UlTerm, CheckBeforeUninstall...) do not work in Windows 10 Build 1803 and higher, or in Windows Server 2019 and higher.
  • With some Wi-Fi access points, in RADIUS Accounting events, the Calling-Station-Id RADIUS field contains the value of the Framed-Ip-Address field, which is incorrect, and the NPS UserLock agent does not correct this.
  • The client IP address of a VPN session can be displayed as a MAC address.
  • Wi-Fi sessions are reset prematurely with certain Wi-Fi access points and controllers.
  • Session history and User status history cannot be displayed in the web console for a user in a different domain than the UserLock server.
  • For logons denied by UserLock or Active Directory, invalid values can be written to the EventType field of the UserLogonEvents table in the database.
  • The reports displayed in the "User Sessions" view do not use the read-only connection string if the server uses the default database.
  • If, for a Wi-Fi disconnection, the database field "Param5" (session time) is very large, then the generation of "Wi-Fi / VPN" reports fails and displays an error for an SQL database.
  • Wi-Fi session events may be missing if Accounting session ID is as follows "5c3fba6d/28:3a:4d:26:40:df/3248".
  • In the "Agent Distribution" view, for Windows computers, a SSH error for Mac is displayed instead of the HTF003 error.
  • When a machine outside the network zone contacts the UserLock server, the names of the primary and backup UserLock servers are automatically deployed.
  • If a computer outside the UserLock protected zone contains a Desktop Agent and sends a session event to the UserLock server, the session is saved under User sessions and the computer is added in Agent Distribution until the next update of the Agent Distribution.
  • A UserLock server that is no longer active is considered as conflicting.
  • After a zone conflict, the warning does not disappear once the correct UserLock server name has been deployed.
  • An error message is displayed when you click on the filter button in the "Account" column in the "Protected accounts" view.
  • If the NPS or RRAS agent is deployed on Windows Server 2008 64-bit or Windows Server 2003 64-bit, the agent registry key permissions are not set as expected, which prevents the agent from running and displays its status as "Not installed".
  • Text displayed after the NPS agent is deployed through the console lacks information.
  • If you configure either a 'Maximum session length' or a 'Maximum locked time', you will see the wrong restriction in the 'Effective restrictions' view.
  • When updating the usernames daily, if the display name is correct, it is replaced by the SAM account name if an error occurs while obtaining the display names.
  • In the "Wi-Fi / VPN history" report, the "User account" checkbox is checked by default.
  • The "Concurrent session history" report does not work when the chosen session type is only "Wi-Fi / VPN".

Fixed in 9.8.1

  • In some cases, scheduled reports fail if the "Run with highest privileges" option is not enabled.
  • If an exception occurs while logging off a session remotely from the UserLock dialog box, the exception is displayed to the end user even if the "Do not display errors to the user" setting is enabled.
  • UserLockPowerShell read-only cmdlets are denied for connections with read-only permissions.
  • Error information regarding the Mac Agent installation is not correct when the machine can not be contacted.
  • Regional settings are not applied in the "User Sessions" and "Agent Distribution" views of the Desktop Console.
  • The Vista Desktop Agent does not correctly manage registered programs containing arguments or whose name contain quotation marks.
  • The "DcToContactForServerMember" advanced server setting is not retained after restarting the UserLock service.
  • When "Show Auto Filter Row" is enabled in the "Agent Distribution" view of the Desktop Console, an exception is displayed.
  • The "Invalid user" filter is offered in the "All denied logon" report.
  • Non-standard words in the notification when a user status has changed to "High risk", due to a logon denied by Active Directory or UserLock.
  • In the "Reason(s)" filter of the "User status history" report, "Microsoft" is displayed instead of "Active Directory".
  • The "Working hours history" and "Unauthorized working hours" reports indicate an invalid end date.
  • Unable to install Mac Agent with UserLock consoles, UserLockPowerShell, or UserLockAPI.

Fixed in 9.8

  • If the Automatic mode is turned off, and the option to exclude servers from deployment scope is unchecked, then turning on the Automatic mode keeping disabled this option will automatically enable it.
  • Wrong "How to fix" article displayed if the service impersonation account is a local account.
  • Emails sent with Implicit SSL in scheduled tasks are not encoded in UTF8.
  • The SMTP settings of the UserLock service do not support Implicit SSL.
  • The UserLock service does not start if an exception occurs while loading the transaction file.
  • An exception occurs when launching Working Hours reports on an SQL server database via ODBC.
  • It is possible to launch all Working Hours reports without specifying a session type.
  • The Working Hours by week and by month report configuration section allows users to hide combo boxes.
  • The transaction log is not closed until the UserLock service is marked as stopped.
  • An exception during service initialization does not appear in the "ServiceLog.txt" file.
  • Some UserLock service logs are not written to the "ServiceLog.txt" file.
  • In workstation restrictions, if IP From is greater than IP To, a connection with the From or To IP address will not be taken into account for the restriction.
  • Logs for closing, locking, and popup administrative actions do not include the user name of the target session, and are not written to the service log file.
  • Incorrect display of effective restrictions if the display name of the related protected accounts contains "A%252C".

UserLock 9.7 Released: July 24th, 2018

What's new?

Added

  • New "Working hours" reports: "Working hours history", "Working hours by Week" and "Working hours by Month".
  • Allow up to 4GB x64 and 3GB x86 memory for the UserLock service (instead of 2GB previously).

Added in Post Release version:

  • New advanced setting "DisableGhostSessionCheckingOnAgent". The default value is False. If set to True, this disables the automatic ghost session reset performed by the Desktop Agent and the UserLock service. It can be adapted in some installations where Citrix agents are installed which can interfere with Windows APIs.

Improved

  • Performance of the UserLock service.
  • For the NPS Agent, added two options to auto reset the previous session, if a new session has the same data (user name, device, Wi-Fi Access Point).
  • 7 days after updating the status of a machine, added a new test to refresh this status.
  • Added the 903 event ID for sessions reset when a computer is no longer in the network zone protected by UserLock (the associated Active Directory account may have been deleted or the UserLock protected network zone may have been modified).

Fixed in Post Release

  • In the "User sessions" view of Desktop and Web consoles, the "Only sessions on unavailable computers" predefined filter does not work.
  • The report "Session count evolution" shows only the first two dates in the abscissa bar.
  • In the web console, if you click on the link of the filters displayed in the dashboard, the result is not filtered.
  • In the "Working hours history" report, the filters show "AM" and "PM".
  • Running hours reports with dates not included in the dates in the database displays an error.
  • The English version of the report "Working hours by month" shows some table captions in French.
  • The exception "The columns don't currently have unique values." may occur when generating the 3 reports "Working hours".
  • The Working Hours By Week and By Month reports do not maintain the column chooser configuration.

Fixed

  • The message displayed after installing the NPS or RRAS Agent does not prompt to stop, then start the NPS and RRAS services.
  • For a computer that is no longer in Active Directory but listed in the MACHINES view of the Web console, a 500 error is displayed when you click the name of the computer.
  • Time zone shift is not recorded for session events written in offline logs.
  • Cirilic characters are not managed in e-mail notifications.

UserLock 9.6 Released: October 17th, 2017

What's new?

Added

  • Shutdown and Restart operations are now available for Mac computers.
  • Fully compatible with Windows Server 2016.
  • Session events can be notified to a webhook. By configuring the Webhook URL in UserLock (HTTPS and HTTP are supported), JSON notifications containing session events will be notified to this webhook.

Added in 9.6.2:

  • The UserLock Desktop Agent is compatible with Windows 10 Build 1803.
  • Notifications (e-mail and popup) to inform the UserLock administrator that the number of concurrent sessions is close to the maximum allowed by the UserLock license (customizable percentage via advanced setting PercentageLicenceNotifications (F7)).
  • Added the "DcToContactForServerMember" advanced setting specifying the DC name to contact first.

Improved

  • Send Webhook notifications from the UserLock backup server only if the primary server is unavailable.
  • The "Agent Distribution" data is now updated by a multi-threaded mechanism. By doing this, for environments with many protected computers, the data will be updated much faster.
  • New "AddUserDataInUserSessionsIfEffRestReq" advanced setting to automatically add user account data in the "User sessions" view if effective restrictions are explicitly asked for that user (through UserLockPowerShell or UserLockAPI).

Improved in 9.6.2:

  • After the evaluation expires, there is no pop-up window anymore for each logon.

Improved in post release:

  • In agents, increase the ping timeout and add a double ping.
    Note: This improvement created the temporary bug "The GINA Desktop agent (used for Windows XP and Server 2003) no longer works." (from 9.6.2.25 to 9.6.2.33, from 9.7.0.215 to 9.7.0.216, from 9.8.0.60 to 9.8.0.101).

Fixed in Post Release

  • Possible crash of the UserLock service when an asynchronous action is requested whilst another one has just ended.
  • There is a memory leak in the UserLock service whenever the Agent Distribution view is displayed.
  • Logon events are processed very slowly.
  • Administrative actions initiated by the UserLock service do not work on XP and Server 2003 target operating systems.
  • The GINA UserLock Desktop agent (used for Windows XP and Server 2003) no longer works.

Fixed in 9.6.2

  • Since Windows 10 has been updated to Build 1803, users can not log on to the computers on which the UserLock Desktop Agent is installed.
  • The calculation of the effective restriction of the "Allow only one unlocked interactive session" feature is not logical.
  • Resetting multiple sessions is handled by one thread instead of several.
  • When the audit is in Debug mode, the 'Conflicting UserLock installation data has just been reset.' is written to the event log each time UserLock reiterates to check the list of protected machines, even if no conflict has been detected.
  • In the web console, when viewing a specific user's graph, the number of sessions for a specific day is not correct if a session ends after midnight that day.
  • No e-mail is sent if the current number of concurrent sessions is close to the maximum.
    Note that these emails will only be sent if the following UserLock settings are configured:
  • Initial access points are not correctly counted for Macs.
  • The default permissions granted when adding an account in the Security section include write permissions.
  • The client address displayed for interactive logons denied by Active Directory is 127.0.0.1.
  • In rare cases, a logon is denied to a user even if no existing session is displayed in the notification.
  • Canceling the printing of the "agent distribution" view generates an error.
  • Updating the UserLock server version is generating an admin action event with a wrong content as sending a wrong alert.
  • The database connection string in the Console displays the SQL password in clear when set with SQL authentication.
  • The not counted computers registry setting is not integrated in the configuration file.
  • In the Debug audit mode, there is no audit trace of deactivation and activation of the task manager in the Agent Desktop audit file.
    Included in the 9.6.1.1 MSI package of the UserLock Desktop Agent.
  • The OWA 2010 logout is not submitted to UserLock with the HTTP module.
  • In Logoff notifications, the Action field is "Not available".

Fixed in 9.6.1

  • Manual installation of the Mac UserLock Agent results in permission changes.
  • Not all message variables are resolved in some notifications.
  • In the Advanced Settings dialog box, there is no description for some properties.
  • The automatic mode configuration is not retained after an upgrade if the console is open during the upgrade.
  • Logons denied by UserLock directly notified to the backup server (when the primary server is unavailable) are not properly inserted into the primary server database (when it is available again and after synchronization).
  • In some cases, popup notifications do not work on Vista / Server 2008 and later OS.
  • It is not possible to ignore IIS sessions generated by Exchange healthmailbox accounts when there are several Exchange servers in the domain.
  • In the server properties, it is possible to set the service impersonation account with an account that is not allowed to log on as a service, without an error being displayed.
  • It is possible to set the service impersonation account with an account that is denied and allowed (and therefore denied) to log on as a service without an error being displayed.
  • In the Configuration Wizard, setting the service impersonation account with an account that is not allowed to log on as a service displays an inappropriate error.
  • Opening and closing server properties (without modification) generates incorrect e-mail notifications.
  • The console freezes when a change to a server property other than the database settings is applied and the database is unavailable.
  • Verifying the existence of the UserStatus table generates a request to create this table.

Fixed in 9.6

  • Enabling the DeployFQDN advanced setting makes the detection of a conflicting installation of UserLock unsuccessful.
  • Manually deploying the FQDN of the right UserLock server on a workstation generates the conflicting installation message.
  • Once a conflicting installation is detected, the warning is displayed until the service is restarted.
  • In the Webhook notifications configuration, changes to the HTTP and HTTPS combo box values do not allow you to apply changes. And the Webhook notification settings are not disabled on the backup server.
  • Error renaming a scheduled task.
  • The UserLock scheduler does not work well on Windows Server 2016 and Windows 10 when the default domain administrator account is not used.
  • In the UserLock Scheduler, the last run time information is not correctly updated.
  • It is not possible to turn on the automatic distribution mode of the agent if the base account of the UserLock service is set to LocalSystem.

UserLock 9.5 Released: June 6th, 2017

What’s new?

Added

  • Automatic upgrade of the Mac Agent for Mac machines (if the Automatic Mode is enabled).
  • Added the "Description" field of computer accounts from Active Directory to UserLock Console and variables. To enable this new feature, an upgrade to the Desktop Agent is required.
  • Installing (and uninstalling) the Mac Agent from the UserLock Console (and UserLockPowerShell and UserLockAPI).
  • Automatic deployment (and undeployment) of the Mac Agent for Mac machines (if the Automatic Mode is enabled).
  • Automatic detection of Mac computers in the network zone protected by UserLock ("Agent Distribution" view).
  • Automatic detection of conflicting installations of the UserLock service.
  • Mac Agent to monitor Interactive sessions on Mac computers.
  • New IIS reports: "IIS history" and "IIS sessions statistics".
  • New denied logon reports: "All denied logon", "Logon denied by Active Directory", "Logon denied by UserLock", "Concurrent session restrictions", "Initial access point restrictions", "Machine restrictions", "Hours restrictions", "Time quota restrictions", "Group restrictions".
  • New report "Concurrent session history".

Improved

  • Changes to the "Concurrent session history" report.
  • Reorganized old report filters for the following reports: "Session history", "Session statistics", "Wi-Fi / VPN history", "Wi-Fi / VPN users statistics", "Wi-Fi / VPN statistics evolution".
  • All references to "Logon denied by Windows" have been replaced with "Logon denied by Active Directory".
  • Replaced "Logs" with "Database" in the server properties.
  • Documentation has been updated.
  • Removed the trial popup displayed for each logon.
  • Removed the beta version popup displayed for each logon.
  • Windows Server 2003 is no longer supported for the installation of UserLock (Windows Server 2003 is still compatible with the UserLock Desktop agent).

Fixed

  • Logons Denied by Active Directory are not correctly detected when certain Credential Providers are used. To enable this new feature, an upgrade to the Desktop Agent is required.

UserLock 9.01 Released: May 11th, 2017

Fixed

  • When upgrading from 8.5.0.0, if a server name starts with a number, the agent distribution displays an error.
  • The 'Maximum session time' and the 'Maximum locked time' values are inverted in the 'Effective restrictions' view.
  • Under certain conditions, the UserLockAppPool process consumes 100% CPU.
  • In some specific situations, the UserLock service may crash if the "CheckIpConflict" advanced parameter is enabled.
  • In the web console, in "Agent Distribution", filtering on the "installed" agent status doesn't work.
  • Logon Denied by Active Directory are not correctly detected when specific Credential Providers are used.
  • SharePoint 2010 sessions are not handled by the UserLock IIS agent.
  • Logons denied by Active Directory are not handled if the session name contains spaces.
  • If a very large number of OUs is selected in the "Network zone" step of the Configuration Wizard, an error occurs.
  • In the hours restrictions, when two continuous time frames are defined, one before midnight, the other after midnight, a logout occurs at midnight.
  • If the user account corresponding to a temporary protected account is renamed in Active Directory, this change is not updated in the protected account data.
  • Session events performed with a local user account are not directly notified to the UserLock server.
  • The text used to set the workstation restriction mode refers to sessions on listed machines instead of sessions opened FROM listed machines.
  • Exporting reports to Excel with more than 65,000 rows results in an "Out of memory" exception.
  • In the "Database" section of the Server properties (formerly "Logs" section), the password is not saved if "SQL Server Authentication" is set.
  • Closing a session already logged off from the UserLock user dialog does not automatically remove it from the dialog box and the user can't log in without canceling and then trying to reconnect.
  • In the "Time Quotas" section of the properties of a protected account, when a time quota is set to "0:00", this change is not correctly applied (no problem with "00:00").
  • In the UserLock API, the "UserLockServer.GetProtectedAccount()" method is misleading.
  • In the mobile phone format of the Web console, displaying the User Details page results in a 500 error on each load.
  • In rare cases, when a session must be denied by UserLock due to another session, and that session is inaccessible, then the new session can be accepted due to a timeout.
  • The "Session history" report can be launched with the "Display active sessions at" option enabled with an empty date field.
  • Enabling the "Logoff disallowed sessions" server property does not allow you to change the "Session logoff order".
  • The "ServerAddress" and "TimeZoneShift" fields are missing in the Microsoft Access database file installed with the package.

UserLock 9.0 Released: June 20th, 2016

Added

  • Initial access point audit & restriction. Any session which is a new point of entry to the network will be considered as the initial access point for the user initiating the connection. UserLock has the ability to analyze sessions to determine if this is a new initial access point of the user or a nested/children session (connection performed from an existing session). The number of concurrent initial access points allowed can be restricted through Protected account for a user, a group or an organizational unit.
  • Ability to block all connections for a user. It is possible from the 'User sessions' view to block all logon attempts and close all existing sessions remotely.
  • A new option in the UserLock server properties allows you now to apply the time restrictions according to each client machine’s time instead of the UserLock server time.
  • A new view 'Effective restrictions' to easily check which restrictions are applied to a specific user. On previous version it was necessary to iterate over all protected groups to check if a user was a member or not, and what restrictions were applied.
  • The UserLock database connection builder now supports MySQL database system 5.6 and newer versions.

Improved

  • Switch the local .chm help to the online HTML help when launching the help from the console menu help/content.
  • User status can now detect, alert and display as ‘high risk’ behavior when a user has simultaneous connections from inside and outside the local network (private and public IP address), which is in many cases an abnormal situation.
  • User status can now detect, alert and display as a ‘risk’ situation, users opening a new session from an existing session with different credentials.
  • All kinds of sessions are now displayed in the session view by machine. Previously only interactive sessions were displayed.
  • History reports can now be filtered according to a machine organizational unit.
  • The ‘Session count evolution’ report can be displayed for all computers with a name matching a wildcard pattern.

Fixed

  • In some cases, the option 'Allow only one unlocked interactive session' doesn't properly lock the others open sessions.
  • The UserLock service may set a wrong logoff date for logoffs automatically added due to a computer crash.
  • The configuration wizard is crashing in Japanese.
  • When no protected accounts are defined, the Quick access panel is lost everytime the Protected accounts view is displayed.
  • An error occurs when trying to select the SQL server database name in the database wizard of the server properties.
  • The option closing automatically disallowed sessions is not effective when the user is blocked.
  • The option closing automatically disallowed sessions is not effective if the cause is a workstation restriction.
  • Scheduling a database cleaning job launches the report scheduling wizard.
  • For some hybrid computers the web interface switches to the tablet mode although it is not relevant.
  • For Wi-Fi sessions that were already authenticated, switching from allowed to forbidden time frames will not work until NPS restarts.
  • UserLock detects 127.0.0.1 as IP address of sessions without an available network connection and can't resolve its Initial Access Point.
  • The user effective restrictions view doesn't display the Hours restriction when 'The following time frames are" is set to 'Denied' and the list is empty.
  • Sometimes the mouse cursor switch to an hourglass cursor when navigating in the Quick access panel although no task is running and the console responds to actions.
  • The log file for the web console is not created.
  • Remote desktop is considered as Initial access point when IPv6 is displayed/captured.
  • Full session synchronization generates an access denied error when the backup server's impersonation account has not be used before at least once.
  • The UserLock Windows console displays an exception when Primary UserLock service is stopped.
  • There is no button to test the configuration of the section 'E-mail settings for scheduled reports' from the Console Options.
  • UserLock displays duplicate sessions when an unespected shutdown occurs for a machine with a locked session.
  • Effective time frames, client restrictions (computers, IP ranges and workstation OUs) and time quotas are not handled in the API if the name of the protected account contains comma characters.
  • It's not possible to launch a search using a full user name in the web console (first name + space + last name).
  • Passive SSL on port 465 is not supported in console SMTP settings.
  • Modifying time frames in the console automatically modifies the Logoff notification timeout setting.
  • The Syslocator is not able to inform the user whether a computer is free or not.
  • IPv6 addresses are not retrieved correctly.
  • Scheduled reports always send E-mails through the SMTP port 25 even if another port is configured.
  • New computer commands aren't available until a refresh action is performed in the console.
  • The User status history cannot be launched from the 'User Sessions' view.
  • In the Windows console, if the Logoff timeout value is set to 0, then it will be displayed as 'Not configured' the next time the Protected account will be edited.
  • It's not possible to send an E-mail to an MS Exchange 'Receive connector' allowing Windows authentication when the option 'Provide credentials' is selected in UserLock SMTP configuration.
  • Some characters are truncated in the fields of the 'E-mail settings for event notifications' section.
  • In some cases, the console displays an exception when launching the 'Database connection' wizard.
  • In the view 'Time consumed' the column name is missing in the menu 'Reset column' of the 'Quick access' panel.
  • Scrolling in the Quick access panel over the User sessions view by using the mouse wheel can cause some focus shifts.
  • The Quick access panel menus displayed on the Welcome page are not relevant.
  • There is a memory leak while processing lock/unlock events asynchronously.
  • The 'User sessions' report transforms empty instances of last logon and logoff dates to "0001-01-01 00:00:00".
  • Logon denied by Windows events aren’t synchronized between server’s databases.
  • The Hours restriction doesn't permit to authorize a session from 00:00 to 00:00 (the day after).
  • Wi-Fi connections are considered as outside connection.
  • The variable %sessions% is empty in denied VPN logon notifications.
  • The permission displayed in the Security section of the server properties doesn't reflect the automatisms performed by the UserLock service.
  • The Welcome view cannot be displayed if one of the servers added to the console is not reachable.
  • VPN logon denied by Windows may not be audited by UserLock.
  • IIS Logon denied by Windows from a workstation session triggers the notification of 'Same credentials in use' in this same session.
  • The Hours restriction section of the web console presents a text overlap on the Session types field of the time frames definition.
  • Impossible to cancel a protected account edition when some invalid settings are configured in the web console.
  • The web console allows to configure second values in time frames.
  • There is no verbose log for the console to see all commands sent to the server.
  • The client name for an IIS logon denied by Windows caused by a wrong password is not correct.
  • The agent status statistics may be wrong in some cases.
  • A VPN logon refused by UserLock generates an invalid logon denied by Windows.
  • When a VPN initial access point is detected, the service counts one initial access point too many
  • VPN logon denied by Windows are notified as workstation logon denied.
  • A console exception error is displayed when refreshing several times in a row the Consumed time view.
  • After an upgrade to UserLock 9, invalid passwords are reported with two different strings in French.
  • A misleading error message is displayed in the Agent distribution view when a computer doesn't answer to the ping.
  • In some cases, the configuration files cannot be saved after a synchronization performed on the Backup server.
  • The UserLock service may crash when manipulating temporary protected accounts or during the servers synchronization.
  • The SMTP password encryption for the console SMTP settings is not FIPS compliant.
  • A logon attempt with a locked account doesn't raise the risk status for the relevant user account.
  • When the Active Directory computer account name doesn't end with a '$', UserLock truncates the last character of the computer name.
  • Server properties cannot be modified when the option 'Send a notification at every modification in UserLock' is enabled.
  • Customizable messages composed by more than 2 lines cannot be modified.
  • If the RADIUS Accounting Session ID field is formatted like "3859F9AB5F06-AB:STRING", then it is no longer possible to display any session through the UserLock Console.
  • When a Client address is a MAC address formatted with the ‘:’ separator, and a Logon and Logoff occured using it, the UserLockAPI displays the MAC address with incorrect characters in 'Last workstation logged on' and 'Last workstation logged off' fields.
  • In some cases the 'Logoff previous session' dialog box may be minimized.

UserLock 8.5 Released: June 12th, 2015

Added

  • A new Protected account type is now available: the temporary Protected account. Unlike the classic and permanent Protected account, this temporary account is valid only for a period of time defined by start and end dates.
  • A new report ‘User status history’ shows a complete history of status changes for the risk indicator ‘User status’.
  • It is now possible to clone a selected Protected account from the ‘Quick Access Panel’ or the context menu of the ‘Protected accounts view’.
  • The database table of ‘UserStatus’ can now be viewed directly from the Windows Console.

Improved

  • When creating Protected accounts you can now copy the rules and restrictions set for any other existing protected account.
  • New filters in the ‘Protected accounts view’ allow you to show only active accounts, permanent accounts, or the different temporary accounts depending on their status.
  • UserLock PowerShell now includes the Management Cmdlets of temporary Protected Accounts.
  • No session is selected by default in the "Logoff existing session" dialog box.

Fixed

  • Outlook Web Access may generate numerous logon/logoff events in a short time interval in some cases.
  • IIS Session revocation is not supported by the UserLock ISAPI Filter agent type.

UserLock 8.02 Released: April 14th, 2015

Fixed

  • In some cases logons denied by Windows have an invalid client address.
  • Regression introduced in version 8.01 The IP address is showing ?.?.?.? for workstation sessions.

UserLock 8.01 Released: April 3rd, 2015

Fixed

  • On a UserLock server (except in Standalone Terminal Server mode), Wi-Fi / VPN and IIS logons with local accounts denied by Windows are notified to the UserLock service although UserLock doesn't manage such events.
  • The error event 100 "Opened session without SID" is inserted every time the User sessions view is displayed.
  • The UserLock Server service can run at a high CPU usage of 100 percent when some specific errors occurs.
  • On a Windows Server 2003 Domain Controller, the Desktop agent notifies all IIS logons denied by Windows for the IIS account "DomainName\IUSR_IisDcName" to the UserLock service.
  • Client restrictions are no longer applied during session reconnections if a restriction of concurrent sessions allowed is also defined.
  • When a terminal session reconnection is denied due to workstation restrictions only the first attempt is inserted in the database.
  • In some cases the Database connection type is not correctly detected by the Web console.
  • A user logon denied by Windows due to account restrictions is not displayed in the Session history report.
  • The Web console dashboard displays some errors when UserLock is configured to use a MySQL ODBC database.
  • The Windows console displays an error message when open on a server whose name starts with a number.
  • In some cases the logoff is not notified by the UserLock Agent Service to the UserLock server when a computer is powered off.
  • If no domain controller is available the NPS agent may not initialize correctly.

UserLock 8.0 Released: November 4th, 2014

Added

  • A new risk indicator “User Status” to better identify suspicious and inappropriate access behavior and potential threats to network security.
  • A real-time alert on possible credential-based-attacks to notify users when their own credentials are used (successfully or not).
  • UserLock administrators monitoring and alerts through a UserLock Windows Event Log to verify the trust given to UserLock administrators.
  • A new rule to restrict in real time users to a single active session. Opening a new session has the immediate effect of locking the previous session if open.
  • All restrictions for each protected account have a "Not configured" status based on the GPO model, improving the granularity of restriction priority.
  • Wake on Lan feature to wake up any computer which has the technology requirements.
  • A full session synchronization between the Backup Server and the Primary Server is now possible on demand.
  • A new diagnostic tool is now available when hitting the "F12" key.
  • A new ID field and a Time index have been added to the UserLogonEvents table to improve database performance.
  • The console warns UserLock operators about the license and maintenance expiration.
  • A new command in the Help menu allows operators to check for UserLock updates.
  • A version checking process is now automatically performed between the UserLock console and the server to warn UserLock operators about version compatibility.
  • The User Sessions view by machine is now available on the Backup Server (without AD path/tree options). Note that the "Only sessions on unavailable computers" filter can't be used on this mode.
  • New optimized statistic commands have been created in UserLock API to provide Statistics on the Web Console dashboard.
  • Effective restrictions can be displayed for a user through UserLock PowerShell cmdlet "Get-UserLockProtectedAccountEffective".

Improved

  • A full redesign of the UserLock Web Interface to facilitate the administration of UserLock from any device (mobile, tablet or computer).
  • Further granularity when setting permission rights for privilege users. Access to the different features offers now two privileges: "Read" and "Write".
  • New session information are available: Session logon time, last activity time, and Client IP address for all session types; Client Name for interactive & Wi-Fi/VPN sessions.
  • Reports can now be filtered by any Active Directory group or Organizational Unit.
  • UserLock can now close an IIS session (forced logoff) from the UserLock console, PowerShell or API.
  • Sessions activity logs are now sent asynchronously to the server after an network issue.
  • The Reports Time section offers new relative time criteria to facilitate report generation & schedule.
  • Protected Account notification allows more criteria for pop-up and E-mail alerts.
  • Logons denied by Windows are now detected for Terminal, Wi-Fi/VPN and IIS sessions.
  • Logons denied by UserLock are now displaying the restriction reason.
  • UserLock Popup notifications are now displayed over Windows Metro Start screen and applications.
  • When database connectivity errors occur during a database insertion, a specific queue conserves data until the insertion process is successfully performed.
  • On Windows 2012 or more the installation process of the UserLock Web console checks any missing requirements and offers to configure and install these necessary components or features.
  • The UserLock configuration files have been split and moved into 4 separated files.
  • The default MS Access database has been moved to the following path "C:\ProgramData\ISDecisions\UserLock\Database\UserLock.mdb".
  • The UserLock service is now logged as NETWORK SERVICE to use less privileges. When some actions required more privileges, the UserLock service will impersonate with the specified account.

Fixed

  • When a user has a read only access to the server Properties, the account defined in the Impersonation section is indicated as invalid even it is actually valid.
  • A Protected zone composed of many Organizational Units or domains is not displayed correctly in the server Properties.
  • On the session history report "Since the specified number of days" can be empty.
  • Quick filters applied from column heads of the User sessions view are lost after clicking on Refresh.
  • It is not possible to connect to a remote server with the Web admin console from Windows 2003.
  • Actions on Temporary Protected accounts do not work from the Windows console.
  • Web console - Actions performed by the same UserLock operator from two different browsers are not automatically notified to both browsers.
  • Web console - On tablet device, the server icon is moving when scrolling.
  • The Service impersonation section should not be displayed in Standalone Terminal Server mode.
  • Protected account settings are not saved in Standalone Terminal Server mode.
  • Web console - The search feature from the Filter panel is only performed on data from the main column of the view.
  • Well-know accounts are protected by UserLock.
  • Settings are applied again when clicking OK even if Apply has already been clicked previously.
  • It's impossible to click Apply or OK after having deleted a Time restriction or a Workstation restriction.
  • The Logon Notification message doesn't contain the reason why the logon is denied.
  • Agents communication pipes without any activity are not disconnected.
  • When applying a Security permission right as authorized for Read and denied for Write, it's registered as denied for both Read and Write.
  • The Windows Console crashes when an agent deployment action can't be cancelled.
  • Remote logoff sent to an unavailable machine to apply a rule limit is performed anyway when the machine comes back online even if this rule limit is no longer relevent at that time.
  • The IIS agent (ISAPI filter) is not compatible with the command line registration (REGSVR32).
  • The IIS agent (HttpModule) is not compatible with the command line registration (REGSVR32).
  • The Popup notification column from the Protected accounts view displays an incorrect status.
  • Permissions set on the IIS agent log file and the IIS agent Registry key are incorrect.
  • When the UserLock help file is opened in full screen mode, it's impossible to switch between the help file and the UserLock console.
  • The UserLock IIS agent may crash its Application Pool when several Application Pools are running with different identities.
  • It is not possible to save the result of a report executed in Raw data mode through the menu File/Save... of the Windows console.
  • It's not possible to apply changes after having modified Logon events selection of the feature "Warn users in real time of all connection events involving their credentials".
  • Restarting a computer without open session from the Machine view of the Web Console fails and displays an error.
  • The message displayed on the Notification sent for Logon denied by Userlock is not enough understandable.
  • Filter criteria from the Agent distribution view in the Web Console contain an unknown agent type.
  • Column contents overlap in the Session history view of the Web Console when using small screens.
  • Wi-Fi / VPN session names displayed in Protected Accounts Notifications are not as user friendly as those displayed in UserLock consoles.
  • Webconsole, machine view, reboot a workstation with a session doesn't work
  • It is not possible to schedule a SQL query
  • After an upgrade the reporter still tries to access the default database at the old location
  • The User status breakdown graph is taking a long time to be displayed in the Web Console Dashboard.
  • An invalid service impersonation account generates many events from the UserLock service still trying to use it.
  • The shutdown action is immediately initiated without warning previously users.
  • The User session view option "Display AD tree" remains enabled after disabling it and refreshing the view.
  • User statistics displayed on the Web Console Dashboard are inconsistent in some specific cases.
  • IIS logons denied by Windows on a Web application configured in Basic authentication mode generate a second attempt of insertion in the database.
  • Userlock Service cannot start when the Userlock.log log file contains only space characters.
  • Local account names are not listed in the User sessions view in display mode by computers.
  • The LogonInfo and Status fields are not synchronized between the Backup and the Primary server.
  • The User status section and the license section of the Backup server are editable.
  • In the Web Console, applying the filter "None" in the User sessions view generates an error.
  • In the Web Console, switching the number of lines displayed in the User sessions and Agent distribution view can cause an error message.
  • The Welcome message is not displaying the reason of a UserLock denied logon.