- New report "Unauthorized working hours".
- In both UserLock consoles, the "How To Fix" column in the agent distribution data grid. This field contains "HTF00X" if the case of referenced error, otherwise it is empty.
- In UserLockAPI, the "HowToFix" property in the "MachineStatus" class. This field contains "HTF00X" in case of referenced error, otherwise it is empty.
- Added a progress bar for generating Working Hours reports and the Concurrent session history report.
- For the "Working hours history" report, added an option "None" to the filter "Group by".
Fixed in 9.8.1
- In some cases, scheduled reports fail if the "Run with highest privileges" option is not enabled.
- If an exception occurs while logging off a session remotely from the UserLock dialog box, the exception is displayed to the end user even if the "Do not display errors to the user" setting is enabled.
- UserLockPowerShell read-only cmdlets are denied for connections with read-only permissions.
- Error information regarding the Mac Agent installation is not correct when the machine can not be contacted.
- Regional settings are not applied in the "User Sessions" and "Agent Distribution" views of the Desktop Console.
- The Vista Desktop Agent does not correctly manage registered programs containing arguments or whose name contain quotation marks.
- The "DcToContactForServerMember" advanced server setting is not retained after restarting the UserLock service.
- When "Show Auto Filter Row" is enabled in the "Agent Distribution" view of the Desktop Console, an exception is displayed.
- The "Invalid user" filter is offered in the "All denied logon" report.
- Non-standard words in the notification when a user status has changed to "High risk", due to a logon denied by Active Directory or UserLock.
- In the "Reason(s)" filter of the "User status history" report, "Microsoft" is displayed instead of "Active Directory".
- The "Working hours history" and "Unauthorized working hours" reports indicate an invalid end date.
- Unable to install Mac Agent with UserLock consoles, UserLockPowerShell, or UserLockAPI.
Fixed in 9.8
- If the Automatic mode is turned off, and the option to exclude servers from deployment scope is unchecked, then turning on the Automatic mode keeping disabled this option will automatically enable it.
- Wrong "How to fix" article displayed if the service impersonation account is a local account.
- Emails sent with Implicit SSL in scheduled tasks are not encoded in UTF8.
- The SMTP settings of the UserLock service do not support Implicit SSL.
- The UserLock service does not start if an exception occurs while loading the transaction file.
- An exception occurs when launching Working Hours reports on an SQL server database via ODBC.
- It is possible to launch all Working Hours reports without specifying a session type.
- The Working Hours by week and by month report configuration section allows users to hide combo boxes.
- The transaction log is not closed until the UserLock service is marked as stopped.
- An exception during service initialization does not appear in the "ServiceLog.txt" file.
- Some UserLock service logs are not written to the "ServiceLog.txt" file.
- In workstation restrictions, if IP From is greater than IP To, a connection with the From or To IP address will not be taken into account for the restriction.
- Logs for closing, locking, and popup administrative actions do not include the user name of the target session, and are not written to the service log file.
- Incorrect display of effective restrictions if the display name of the related protected accounts contains "A%252C".
- New "Working hours" reports: "Working hours history", "Working hours by Week" and "Working hours by Month".
- Allow up to 4GB x64 and 3GB x86 memory for the UserLock service (instead of 2GB previously).
Added in Post Release version:
- New advanced setting "DisableGhostSessionCheckingOnAgent". The default value is False. If set to True, this disables the automatic ghost session reset performed by the Desktop Agent and the UserLock service. It can be adapted in some installations where Citrix agents are installed which can interfere with Windows APIs.
- Performance of the UserLock service.
- For the NPS Agent, added two options to auto reset the previous session, if a new session has the same data (user name, device, Wi-Fi Access Point).
- 7 days after updating the status of a machine, added a new test to refresh this status.
- Added the 903 event ID for sessions reset when a computer is no longer in the network zone protected by UserLock (the associated Active Directory account may have been deleted or the UserLock protected network zone may have been modified).
Fixed in Post Release
- In the "User sessions" view of Desktop and Web consoles, the "Only sessions on unavailable computers" predefined filter does not work.
- The report "Session count evolution" shows only the first two dates in the abscissa bar.
- In the web console, if you click on the link of the filters displayed in the dashboard, the result is not filtered.
- In the "Working hours history" report, the filters show "AM" and "PM".
- Running hours reports with dates not included in the dates in the database displays an error.
- The English version of the report "Working hours by month" shows some table captions in French.
- The exception "The columns don't currently have unique values." may occur when generating the 3 reports "Working hours".
- The Working Hours By Week and By Month reports do not maintain the column chooser configuration.
- The message displayed after installing the NPS or RRAS Agent does not prompt to stop, then start the NPS and RRAS services.
- For a computer that is no longer in Active Directory but listed in the MACHINES view of the Web console, a 500 error is displayed when you click the name of the computer.
- Time zone shift is not recorded for session events written in offline logs.
- Cirilic characters are not managed in e-mail notifications.
- Shutdown and Restart operations are now available for Mac computers.
- Fully compatible with Windows Server 2016.
- Session events can be notified to a webhook. By configuring the Webhook URL in UserLock (HTTPS and HTTP are supported), JSON notifications containing session events will be notified to this webhook.
Added in 9.6.2:
- The UserLock Desktop Agent is compatible with Windows 10 Build 1803.
- Notifications (e-mail and popup) to inform the UserLock administrator that the number of concurrent sessions is close to the maximum allowed by the UserLock license (customizable percentage via advanced setting PercentageLicenceNotifications (F7)).
- Added the "DcToContactForServerMember" advanced setting specifying the DC name to contact first.
- Send Webhook notifications from the UserLock backup server only if the primary server is unavailable.
- The "Agent Distribution" data is now updated by a multi-threaded mechanism. By doing this, for environments with many protected computers, the data will be updated much faster.
- New "AddUserDataInUserSessionsIfEffRestReq" advanced setting to automatically add user account data in the "User sessions" view if effective restrictions are explicitly asked for that user (through UserLockPowerShell or UserLockAPI).
Improved in 9.6.2:
- After the evaluation expires, there is no pop-up window anymore for each logon.
Improved in post release:
- In agents, increase the ping timeout and add a double ping.
Note: This improvement created the temporary bug "The GINA Desktop agent (used for Windows XP and Server 2003) no longer works." (from 22.214.171.124 to 126.96.36.199, from 188.8.131.52 to 184.108.40.206, from 220.127.116.11 to 18.104.22.168).
Fixed in Post Release
- Possible crash of the UserLock service when an asynchronous action is requested whilst another one has just ended.
- There is a memory leak in the UserLock service whenever the Agent Distribution view is displayed.
- Logon events are processed very slowly.
- Administrative actions initiated by the UserLock service do not work on XP and Server 2003 target operating systems.
- The GINA UserLock Desktop agent (used for Windows XP and Server 2003) no longer works.
Fixed in 9.6.2
- Since Windows 10 has been updated to Build 1803, users can not log on to the computers on which the UserLock Desktop Agent is installed.
- The calculation of the effective restriction of the "Allow only one unlocked interactive session" feature is not logical.
- Resetting multiple sessions is handled by one thread instead of several.
- When the audit is in Debug mode, the 'Conflicting UserLock installation data has just been reset.' is written to the event log each time UserLock reiterates to check the list of protected machines, even if no conflict has been detected.
- In the web console, when viewing a specific user's graph, the number of sessions for a specific day is not correct if a session ends after midnight that day.
- No e-mail is sent if the current number of concurrent sessions is close to the maximum.
Note that these emails will only be sent if the following UserLock settings are configured:
- E-mail settings for event notifications: see https://www.isdecisions.com/products/userlock/help/console/server_administration/server_properties/e-mail-settings.htm.
- UserLock modification notifications: see https://www.isdecisions.com/products/userlock/help/console/server_administration/server_properties/permissions.htm.
- Initial access points are not correctly counted for Macs.
- The default permissions granted when adding an account in the Security section include write permissions.
- The client address displayed for interactive logons denied by Active Directory is 127.0.0.1.
- In rare cases, a logon is denied to a user even if no existing session is displayed in the notification.
- Canceling the printing of the "agent distribution" view generates an error.
- Updating the UserLock server version is generating an admin action event with a wrong content as sending a wrong alert.
- The database connection string in the Console displays the SQL password in clear when set with SQL authentication.
- The not counted computers registry setting is not integrated in the configuration file.
- In the Debug audit mode, there is no audit trace of deactivation and activation of the task manager in the Agent Desktop audit file.
Included in the 22.214.171.124 MSI package of the UserLock Desktop Agent.
- The OWA 2010 logout is not submitted to UserLock with the HTTP module.
- In Logoff notifications, the Action field is "Not available".
Fixed in 9.6.1
- Manual installation of the Mac UserLock Agent results in permission changes.
- Not all message variables are resolved in some notifications.
- In the Advanced Settings dialog box, there is no description for some properties.
- The automatic mode configuration is not retained after an upgrade if the console is open during the upgrade.
- Logons denied by UserLock directly notified to the backup server (when the primary server is unavailable) are not properly inserted into the primary server database (when it is available again and after synchronization).
- In some cases, popup notifications do not work on Vista / Server 2008 and later OS.
- It is not possible to ignore IIS sessions generated by Exchange healthmailbox accounts when there are several Exchange servers in the domain.
- In the server properties, it is possible to set the service impersonation account with an account that is not allowed to log on as a service, without an error being displayed.
- It is possible to set the service impersonation account with an account that is denied and allowed (and therefore denied) to log on as a service without an error being displayed.
- In the Configuration Wizard, setting the service impersonation account with an account that is not allowed to log on as a service displays an inappropriate error.
- Opening and closing server properties (without modification) generates incorrect e-mail notifications.
- The console freezes when a change to a server property other than the database settings is applied and the database is unavailable.
- Verifying the existence of the UserStatus table generates a request to create this table.
Fixed in 9.6
- Enabling the DeployFQDN advanced setting makes the detection of a conflicting installation of UserLock unsuccessful.
- Manually deploying the FQDN of the right UserLock server on a workstation generates the conflicting installation message.
- Once a conflicting installation is detected, the warning is displayed until the service is restarted.
- In the Webhook notifications configuration, changes to the HTTP and HTTPS combo box values do not allow you to apply changes. And the Webhook notification settings are not disabled on the backup server.
- Error renaming a scheduled task.
- The UserLock scheduler does not work well on Windows Server 2016 and Windows 10 when the default domain administrator account is not used.
- In the UserLock Scheduler, the last run time information is not correctly updated.
- It is not possible to turn on the automatic distribution mode of the agent if the base account of the UserLock service is set to LocalSystem.
- Automatic upgrade of the Mac Agent for Mac machines (if the Automatic Mode is enabled).
- Added the "Description" field of computer accounts from Active Directory to UserLock Console and variables. To enable this new feature, an upgrade to the Desktop Agent is required.
- Installing (and uninstalling) the Mac Agent from the UserLock Console (and UserLockPowerShell and UserLockAPI).
- Automatic deployment (and undeployment) of the Mac Agent for Mac machines (if the Automatic Mode is enabled).
- Automatic detection of Mac computers in the network zone protected by UserLock ("Agent Distribution" view).
- Automatic detection of conflicting installations of the UserLock service.
- Mac Agent to monitor Interactive sessions on Mac computers.
- New IIS reports: "IIS history" and "IIS sessions statistics".
- New denied logon reports: "All denied logon", "Logon denied by Active Directory", "Logon denied by UserLock", "Concurrent session restrictions", "Initial access point restrictions", "Machine restrictions", "Hours restrictions", "Time quota restrictions", "Group restrictions".
- New report "Concurrent session history".
- Changes to the "Concurrent session history" report.
- Reorganized old report filters for the following reports: "Session history", "Session statistics", "Wi-Fi / VPN history", "Wi-Fi / VPN users statistics", "Wi-Fi / VPN statistics evolution".
- All references to "Logon denied by Windows" have been replaced with "Logon denied by Active Directory".
- Replaced "Logs" with "Database" in the server properties.
- Documentation has been updated.
- Removed the trial popup displayed for each logon.
- Removed the beta version popup displayed for each logon.
- Windows Server 2003 is no longer supported for the installation of UserLock (Windows Server 2003 is still compatible with the UserLock Desktop agent).
- Logons Denied by Active Directory are not correctly detected when certain Credential Providers are used. To enable this new feature, an upgrade to the Desktop Agent is required.
- When upgrading from 126.96.36.199, if a server name starts with a number, the agent distribution displays an error.
- The 'Maximum session time' and the 'Maximum locked time' values are inverted in the 'Effective restrictions' view.
- Under certain conditions, the UserLockAppPool process consumes 100% CPU.
- In some specific situations, the UserLock service may crash if the "CheckIpConflict" advanced parameter is enabled.
- In the web console, in "Agent Distribution", filtering on the "installed" agent status doesn't work.
- Logon Denied by Active Directory are not correctly detected when specific Credential Providers are used.
- SharePoint 2010 sessions are not handled by the UserLock IIS agent.
- Logons denied by Active Directory are not handled if the session name contains spaces.
- If a very large number of OUs is selected in the "Network zone" step of the Configuration Wizard, an error occurs.
- In the hours restrictions, when two continuous time frames are defined, one before midnight, the other after midnight, a logout occurs at midnight.
- If the user account corresponding to a temporary protected account is renamed in Active Directory, this change is not updated in the protected account data.
- Session events performed with a local user account are not directly notified to the UserLock server.
- The text used to set the workstation restriction mode refers to sessions on listed machines instead of sessions opened FROM listed machines.
- Exporting reports to Excel with more than 65,000 rows results in an "Out of memory" exception.
- In the "Database" section of the Server properties (formerly "Logs" section), the password is not saved if "SQL Server Authentication" is set.
- Closing a session already logged off from the UserLock user dialog does not automatically remove it from the dialog box and the user can't log in without canceling and then trying to reconnect.
- In the "Time Quotas" section of the properties of a protected account, when a time quota is set to "0:00", this change is not correctly applied (no problem with "00:00").
- In the UserLock API, the "UserLockServer.GetProtectedAccount()" method is misleading.
- In the mobile phone format of the Web console, displaying the User Details page results in a 500 error on each load.
- In rare cases, when a session must be denied by UserLock due to another session, and that session is inaccessible, then the new session can be accepted due to a timeout.
- The "Session history" report can be launched with the "Display active sessions at" option enabled with an empty date field.
- Enabling the "Logoff disallowed sessions" server property does not allow you to change the "Session logoff order".
- The "ServerAddress" and "TimeZoneShift" fields are missing in the Microsoft Access database file installed with the package.
- Initial access point audit & restriction. Any session which is a new point of entry to the network will be considered as the initial access point for the user initiating the connection. UserLock has the ability to analyze sessions to determine if this is a new initial access point of the user or a nested/children session (connection performed from an existing session). The number of concurrent initial access points allowed can be restricted through Protected account for a user, a group or an organizational unit.
- Ability to block all connections for a user. It is possible from the 'User sessions' view to block all logon attempts and close all existing sessions remotely.
- A new option in the UserLock server properties allows you now to apply the time restrictions according to each client machine’s time instead of the UserLock server time.
- A new view 'Effective restrictions' to easily check which restrictions are applied to a specific user. On previous version it was necessary to iterate over all protected groups to check if a user was a member or not, and what restrictions were applied.
- The UserLock database connection builder now supports MySQL database system 5.6 and newer versions.
- Switch the local .chm help to the online HTML help when launching the help from the console menu help/content.
- User status can now detect, alert and display as ‘high risk’ behavior when a user has simultaneous connections from inside and outside the local network (private and public IP address), which is in many cases an abnormal situation.
- User status can now detect, alert and display as a ‘risk’ situation, users opening a new session from an existing session with different credentials.
- All kinds of sessions are now displayed in the session view by machine. Previously only interactive sessions were displayed.
- History reports can now be filtered according to a machine organizational unit.
- The ‘Session count evolution’ report can be displayed for all computers with a name matching a wildcard pattern.
- In some cases, the option 'Allow only one unlocked interactive session' doesn't properly lock the others open sessions.
- The UserLock service may set a wrong logoff date for logoffs automatically added due to a computer crash.
- The configuration wizard is crashing in Japanese.
- When no protected accounts are defined, the Quick access panel is lost everytime the Protected accounts view is displayed.
- An error occurs when trying to select the SQL server database name in the database wizard of the server properties.
- The option closing automatically disallowed sessions is not effective when the user is blocked.
- The option closing automatically disallowed sessions is not effective if the cause is a workstation restriction.
- Scheduling a database cleaning job launches the report scheduling wizard.
- For some hybrid computers the web interface switches to the tablet mode although it is not relevant.
- For Wi-Fi sessions that were already authenticated, switching from allowed to forbidden time frames will not work until NPS restarts.
- UserLock detects 127.0.0.1 as IP address of sessions without an available network connection and can't resolve its Initial Access Point.
- The user effective restrictions view doesn't display the Hours restriction when 'The following time frames are" is set to 'Denied' and the list is empty.
- Sometimes the mouse cursor switch to an hourglass cursor when navigating in the Quick access panel although no task is running and the console responds to actions.
- The log file for the web console is not created.
- Remote desktop is considered as Initial access point when IPv6 is displayed/captured.
- Full session synchronization generates an access denied error when the backup server's impersonation account has not be used before at least once.
- The UserLock Windows console displays an exception when Primary UserLock service is stopped.
- There is no button to test the configuration of the section 'E-mail settings for scheduled reports' from the Console Options.
- UserLock displays duplicate sessions when an unespected shutdown occurs for a machine with a locked session.
- Effective time frames, client restrictions (computers, IP ranges and workstation OUs) and time quotas are not handled in the API if the name of the protected account contains comma characters.
- It's not possible to launch a search using a full user name in the web console (first name + space + last name).
- Passive SSL on port 465 is not supported in console SMTP settings.
- Modifying time frames in the console automatically modifies the Logoff notification timeout setting.
- The Syslocator is not able to inform the user whether a computer is free or not.
- IPv6 addresses are not retrieved correctly.
- Scheduled reports always send E-mails through the SMTP port 25 even if another port is configured.
- New computer commands aren't available until a refresh action is performed in the console.
- The User status history cannot be launched from the 'User Sessions' view.
- In the Windows console, if the Logoff timeout value is set to 0, then it will be displayed as 'Not configured' the next time the Protected account will be edited.
- It's not possible to send an E-mail to an MS Exchange 'Receive connector' allowing Windows authentication when the option 'Provide credentials' is selected in UserLock SMTP configuration.
- Some characters are truncated in the fields of the 'E-mail settings for event notifications' section.
- In some cases, the console displays an exception when launching the 'Database connection' wizard.
- In the view 'Time consumed' the column name is missing in the menu 'Reset column' of the 'Quick access' panel.
- Scrolling in the Quick access panel over the User sessions view by using the mouse wheel can cause some focus shifts.
- The Quick access panel menus displayed on the Welcome page are not relevant.
- There is a memory leak while processing lock/unlock events asynchronously.
- The 'User sessions' report transforms empty instances of last logon and logoff dates to "0001-01-01 00:00:00".
- Logon denied by Windows events aren’t synchronized between server’s databases.
- The Hours restriction doesn't permit to authorize a session from 00:00 to 00:00 (the day after).
- Wi-Fi connections are considered as outside connection.
- The variable %sessions% is empty in denied VPN logon notifications.
- The permission displayed in the Security section of the server properties doesn't reflect the automatisms performed by the UserLock service.
- The Welcome view cannot be displayed if one of the servers added to the console is not reachable.
- VPN logon denied by Windows may not be audited by UserLock.
- IIS Logon denied by Windows from a workstation session triggers the notification of 'Same credentials in use' in this same session.
- The Hours restriction section of the web console presents a text overlap on the Session types field of the time frames definition.
- Impossible to cancel a protected account edition when some invalid settings are configured in the web console.
- The web console allows to configure second values in time frames.
- There is no verbose log for the console to see all commands sent to the server.
- The client name for an IIS logon denied by Windows caused by a wrong password is not correct.
- The agent status statistics may be wrong in some cases.
- A VPN logon refused by UserLock generates an invalid logon denied by Windows.
- When a VPN initial access point is detected, the service counts one initial access point too many
- VPN logon denied by Windows are notified as workstation logon denied.
- A console exception error is displayed when refreshing several times in a row the Consumed time view.
- After an upgrade to UserLock 9, invalid passwords are reported with two different strings in French.
- A misleading error message is displayed in the Agent distribution view when a computer doesn't answer to the ping.
- In some cases, the configuration files cannot be saved after a synchronization performed on the Backup server.
- The UserLock service may crash when manipulating temporary protected accounts or during the servers synchronization.
- The SMTP password encryption for the console SMTP settings is not FIPS compliant.
- A logon attempt with a locked account doesn't raise the risk status for the relevant user account.
- When the Active Directory computer account name doesn't end with a '$', UserLock truncates the last character of the computer name.
- Server properties cannot be modified when the option 'Send a notification at every modification in UserLock' is enabled.
- Customizable messages composed by more than 2 lines cannot be modified.
- If the RADIUS Accounting Session ID field is formatted like "3859F9AB5F06-AB:STRING", then it is no longer possible to display any session through the UserLock Console.
- When a Client address is a MAC address formatted with the ‘:’ separator, and a Logon and Logoff occured using it, the UserLockAPI displays the MAC address with incorrect characters in 'Last workstation logged on' and 'Last workstation logged off' fields.
- In some cases the 'Logoff previous session' dialog box may be minimized.
- A new Protected account type is now available: the temporary Protected account. Unlike the classic and permanent Protected account, this temporary account is valid only for a period of time defined by start and end dates.
- A new report ‘User status history’ shows a complete history of status changes for the risk indicator ‘User status’.
- It is now possible to clone a selected Protected account from the ‘Quick Access Panel’ or the context menu of the ‘Protected accounts view’.
- The database table of ‘UserStatus’ can now be viewed directly from the Windows Console.
- When creating Protected accounts you can now copy the rules and restrictions set for any other existing protected account.
- New filters in the ‘Protected accounts view’ allow you to show only active accounts, permanent accounts, or the different temporary accounts depending on their status.
- UserLock PowerShell now includes the Management Cmdlets of temporary Protected Accounts.
- No session is selected by default in the "Logoff existing session" dialog box.
- Outlook Web Access may generate numerous logon/logoff events in a short time interval in some cases.
- IIS Session revocation is not supported by the UserLock ISAPI Filter agent type.
- In some cases logons denied by Windows have an invalid client address.
- Regression introduced in version 8.01 The IP address is showing ?.?.?.? for workstation sessions.
- On a UserLock server (except in Standalone Terminal Server mode), Wi-Fi / VPN and IIS logons with local accounts denied by Windows are notified to the UserLock service although UserLock doesn't manage such events.
- The error event 100 "Opened session without SID" is inserted every time the User sessions view is displayed.
- The UserLock Server service can run at a high CPU usage of 100 percent when some specific errors occurs.
- On a Windows Server 2003 Domain Controller, the Desktop agent notifies all IIS logons denied by Windows for the IIS account "DomainName\IUSR_IisDcName" to the UserLock service.
- Client restrictions are no longer applied during session reconnections if a restriction of concurrent sessions allowed is also defined.
- When a terminal session reconnection is denied due to workstation restrictions only the first attempt is inserted in the database.
- In some cases the Database connection type is not correctly detected by the Web console.
- A user logon denied by Windows due to account restrictions is not displayed in the Session history report.
- The Web console dashboard displays some errors when UserLock is configured to use a MySQL ODBC database.
- The Windows console displays an error message when open on a server whose name starts with a number.
- In some cases the logoff is not notified by the UserLock Agent Service to the UserLock server when a computer is powered off.
- If no domain controller is available the NPS agent may not initialize correctly.
- A new risk indicator “User Status” to better identify suspicious and inappropriate access behavior and potential threats to network security.
- A real-time alert on possible credential-based-attacks to notify users when their own credentials are used (successfully or not).
- UserLock administrators monitoring and alerts through a UserLock Windows Event Log to verify the trust given to UserLock administrators.
- A new rule to restrict in real time users to a single active session. Opening a new session has the immediate effect of locking the previous session if open.
- All restrictions for each protected account have a "Not configured" status based on the GPO model, improving the granularity of restriction priority.
- Wake on Lan feature to wake up any computer which has the technology requirements.
- A full session synchronization between the Backup Server and the Primary Server is now possible on demand.
- A new diagnostic tool is now available when hitting the "F12" key.
- A new ID field and a Time index have been added to the UserLogonEvents table to improve database performance.
- The console warns UserLock operators about the license and maintenance expiration.
- A new command in the Help menu allows operators to check for UserLock updates.
- A version checking process is now automatically performed between the UserLock console and the server to warn UserLock operators about version compatibility.
- The User Sessions view by machine is now available on the Backup Server (without AD path/tree options). Note that the "Only sessions on unavailable computers" filter can't be used on this mode.
- New optimized statistic commands have been created in UserLock API to provide Statistics on the Web Console dashboard.
- Effective restrictions can be displayed for a user through UserLock PowerShell cmdlet "Get-UserLockProtectedAccountEffective".
- A full redesign of the UserLock Web Interface to facilitate the administration of UserLock from any device (mobile, tablet or computer).
- Further granularity when setting permission rights for privilege users. Access to the different features offers now two privileges: "Read" and "Write".
- New session information are available: Session logon time, last activity time, and Client IP address for all session types; Client Name for interactive & Wi-Fi/VPN sessions.
- Reports can now be filtered by any Active Directory group or Organizational Unit.
- UserLock can now close an IIS session (forced logoff) from the UserLock console, PowerShell or API.
- Sessions activity logs are now sent asynchronously to the server after an network issue.
- The Reports Time section offers new relative time criteria to facilitate report generation & schedule.
- Protected Account notification allows more criteria for pop-up and E-mail alerts.
- Logons denied by Windows are now detected for Terminal, Wi-Fi/VPN and IIS sessions.
- Logons denied by UserLock are now displaying the restriction reason.
- UserLock Popup notifications are now displayed over Windows Metro Start screen and applications.
- When database connectivity errors occur during a database insertion, a specific queue conserves data until the insertion process is successfully performed.
- On Windows 2012 or more the installation process of the UserLock Web console checks any missing requirements and offers to configure and install these necessary components or features.
- The UserLock configuration files have been split and moved into 4 separated files.
- The default MS Access database has been moved to the following path "C:\ProgramData\ISDecisions\UserLock\Database\UserLock.mdb".
- The UserLock service is now logged as NETWORK SERVICE to use less privileges. When some actions required more privileges, the UserLock service will impersonate with the specified account.
- When a user has a read only access to the server Properties, the account defined in the Impersonation section is indicated as invalid even it is actually valid.
- A Protected zone composed of many Organizational Units or domains is not displayed correctly in the server Properties.
- On the session history report "Since the specified number of days" can be empty.
- Quick filters applied from column heads of the User sessions view are lost after clicking on Refresh.
- It is not possible to connect to a remote server with the Web admin console from Windows 2003.
- Actions on Temporary Protected accounts do not work from the Windows console.
- Web console - Actions performed by the same UserLock operator from two different browsers are not automatically notified to both browsers.
- Web console - On tablet device, the server icon is moving when scrolling.
- The Service impersonation section should not be displayed in Standalone Terminal Server mode.
- Protected account settings are not saved in Standalone Terminal Server mode.
- Web console - The search feature from the Filter panel is only performed on data from the main column of the view.
- Well-know accounts are protected by UserLock.
- Settings are applied again when clicking OK even if Apply has already been clicked previously.
- It's impossible to click Apply or OK after having deleted a Time restriction or a Workstation restriction.
- The Logon Notification message doesn't contain the reason why the logon is denied.
- Agents communication pipes without any activity are not disconnected.
- When applying a Security permission right as authorized for Read and denied for Write, it's registered as denied for both Read and Write.
- The Windows Console crashes when an agent deployment action can't be cancelled.
- Remote logoff sent to an unavailable machine to apply a rule limit is performed anyway when the machine comes back online even if this rule limit is no longer relevent at that time.
- The IIS agent (ISAPI filter) is not compatible with the command line registration (REGSVR32).
- The IIS agent (HttpModule) is not compatible with the command line registration (REGSVR32).
- The Popup notification column from the Protected accounts view displays an incorrect status.
- Permissions set on the IIS agent log file and the IIS agent Registry key are incorrect.
- When the UserLock help file is opened in full screen mode, it's impossible to switch between the help file and the UserLock console.
- The UserLock IIS agent may crash its Application Pool when several Application Pools are running with different identities.
- It is not possible to save the result of a report executed in Raw data mode through the menu File/Save... of the Windows console.
- It's not possible to apply changes after having modified Logon events selection of the feature "Warn users in real time of all connection events involving their credentials".
- Restarting a computer without open session from the Machine view of the Web Console fails and displays an error.
- The message displayed on the Notification sent for Logon denied by Userlock is not enough understandable.
- Filter criteria from the Agent distribution view in the Web Console contain an unknown agent type.
- Column contents overlap in the Session history view of the Web Console when using small screens.
- Wi-Fi / VPN session names displayed in Protected Accounts Notifications are not as user friendly as those displayed in UserLock consoles.
- Webconsole, machine view, reboot a workstation with a session doesn't work
- It is not possible to schedule a SQL query
- After an upgrade the reporter still tries to access the default database at the old location
- The User status breakdown graph is taking a long time to be displayed in the Web Console Dashboard.
- An invalid service impersonation account generates many events from the UserLock service still trying to use it.
- The shutdown action is immediately initiated without warning previously users.
- The User session view option "Display AD tree" remains enabled after disabling it and refreshing the view.
- User statistics displayed on the Web Console Dashboard are inconsistent in some specific cases.
- IIS logons denied by Windows on a Web application configured in Basic authentication mode generate a second attempt of insertion in the database.
- Userlock Service cannot start when the Userlock.log log file contains only space characters.
- Local account names are not listed in the User sessions view in display mode by computers.
- The LogonInfo and Status fields are not synchronized between the Backup and the Primary server.
- The User status section and the license section of the Backup server are editable.
- In the Web Console, applying the filter "None" in the User sessions view generates an error.
- In the Web Console, switching the number of lines displayed in the User sessions and Agent distribution view can cause an error message.
- The Welcome message is not displaying the reason of a UserLock denied logon.
- The thread initialization timeout was increased to 20 s in the service to avoid start failure in some cases.
- With the web console, in the General section from the server properties, "Logoff exceeding sessions" and "Exceeding sessions order" were reversed.
- With the web console, in the Standalone terminal server section from the server properties and in the Agent section from the Agent distribution properties, "Never" and "Always" were inverted in the Join mode.
- Cell content problem in the user sessions view for backup servers with the web console.
- An exception in the web interface when displaying server properties on a backup server.
- An exception when displaying a report in the web interface and no protected groups were defined.
- Lock/Logoff of non-interactive sessions was proceed even that this is not possible.
- The feature allowing to display user names in the SysLocator was not working.
- If the evaluation mode was expired and the service was restarted it was no longer possible (message about maintenance expiration) to administer UserLock and enter a new license key.
- If the UserLock service account was not administrator of the server the event message library could not be registered.
- It was not possible to upgrade from UserLock 4 even with an up to date license key registered.
- The session history report was not able to filter specifically on terminal sessions or workstation sessions.
- It was not possible to add the administrators group again after removing it from the access permissions.
- New PowerShell commandlets for sessions and computers.
- UserLock PowerShell help.
- Computer commands can be run from inside the UserLock console.
- UserLock is now PowerShell manageable.
- A fully documented API is now available.
- New Windows Server 2012 like Interface.
- A new Welcome view is available, offering knowledge contents and UserLock servers figures.
- The web interface now supports Chrome in addition to Internet Explorer and FireFox.
- The machine localization can now be defined thanks a CSV file containing machine name, building and room information.
- Reports offer a new criterion to filter by Group Protect Account or OU Protected Accounts.
- Reports can be filtered on a list of computers or users separated by a coma.
- PowerShell module installation. The module can be loaded without specifying the path and will be loaded automatically with PowerShell 3.0.
- PowerShell cmdlets.
- PowerShell cmdlets documentation.
- The English help file.
- It was not possible to delete protected accounts from the web console.
- On Windows server 2012 the IIS application pool UserLockAppPool was not registered to use the Framework .NET 2.
- The column headers were missing in the report "User sessions" by user and by machine.
- A layout problem in the protected account properties when displayed with some web browsers.
- With the web interface, the action buttons (Install, Restart, Close, Lock, ...) became inactive after selecting a different page in the User sessions view or in the Agent distribution view.
- A remote console or the web console were not able to display the number of computers in the CSV localization file.
- The selected predefined filter in sessions and agent distribution were not checked.