Ressources techniques

Ressources techniques
FAQ
Historique
Aide en ligne

Guide de démarrage

Guide de démarrage rapideType: PDF - Weight: 1581KB

Divers

Quoi de neuf dans UserLock 6Type: PDF - Weight: 793KB

Configuration du pare-feu Windows XP SP2Type: PDF - Weight: 213KB

Pas de white papers pour ce logiciel

Faq

I can't deploy the agent on my all workstations. Why?

If the deployment doesn't work on a workstation, you should check the following points:

1- Is the workstation registry remotely accessible from the server? (using regedit)
2- Is the workstation administrative share \\workstationName\admin$ accessible from the server?

Here under are some common reasons of a deployment problem:
- Failed to connect to workstation. Error code = 0x0005 Access is denied. The UserLock service account hasn't the administrative rights on all workstations. In this case, check that:
1- The UserLock service account is member of the "domain admin" group
2- The "domain admin" group is member of the administrators group on all workstations
- Failed to connect to workstation. Error code = 0x0035 Network path not found.
1-The computer is down or doesn't exist
2-The NetBIOS name of the workstation cannot be resolved because of a WINS problem.
3-The "File and network sharing" component is not installed in the network connection of the workstation or the server service and the remote registry service are not running.

I want to evaluate UserLock in my production environment without the evaluation message. Is that possible?

You can ask us for an evaluation key at info@userlock.com. In order to send you the key, we need the exact number of workstations to protect in the domain.

UserLock doesn't apply the defined rules to the logged users. Why?

Check that you have only one UserLock service running on your sub network.
Check that the agent is deployed on all workstations.

I purchased UserLock and when I enter the activation key in the console I get the error message: "Invalid or insufficient key". What's the problem?

Older versions of UserLock (less than v2.5) were licensed according the number of user accounts in the domain and you have probably exceeded this number. To avoid this problem please download the latest version (2.5 or more).

How can I uninstall the UserLock agent manually from a workstation?

Start the operating system in safe mode (without network).

For the GINA agent (NT4/2000/XP/2003)
Remove the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
You can download a reg file here to do it.

For the Windows Vista/7/2008 Agent
OS 32 bits :
- Stop the UserLock service
- "c:\Windows\System32\ULAgentExe.exe /UNREGISTER" (unregister)
- "c:\Windows\System32\ULAgentExe.exe /SERVICE u" (delete « UlAgentService »)

OS 64 bits :
- Stop the UserLock service
- "c:\Windows\SysWOW64\ULAgentExe.exe /UNREGISTER" (unregister)
- "c:\Windows\SysWOW64\ULAgentExe.exe /SERVICE u" (delete « UlAgentService »)

Since I installed UserLock on my server I get the following warning in the event log: 3034:MRxSmb or 4:Kerberos. What’s the problem?

The problem is not directly related to UserLock. The warning is generated when the UserLock deployer try to contact specific unavailable workstations listed in the Active Directory. In consequence their IP address is sometimes used by another computer. In consequence when the server contacts the workstation A the workstation B responds instead and this warning is generated.
You can read the following article of the Microsoft knowledge base about this problem: Q263208

To fix it you just need to remove all “ghost” computers listed in your Active Directory.

As workaround you can also set the following registry setting and restart the UserLock service (Version >= 3.02):
HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\CheckIpConflict = REG_DWORD:1

Users are not able to open a second session on my terminal server even if more than 1 session is allowed through protected accounts. Why?

With the default configuration UserLock always disconnect any previous session for a user on the server in order to join it instead of creating a new session. This allows a user to continue his work from a new location without having to get back to the previous location in order to disconnect the session. You can change this behaviour in the Agent distributions properties (Agent tab) of the UserLock primary server or in server properties (Terminal server tab) if the server is in standalone terminal server mode. For the setting “Try to join any existing session on the server” select “If the new session is not allowed” or “Never”.

How do I upgrade my UserLock server to a new version?

The upgrade procedure is explained in the following page of the help file:
http://www.isdecisions.com/help/UserLock/English/Default.htm#Reference/Upgrade_procedure.htm

How do I move the UserLock service to a new server?

Install UserLock on the new server

Start the configuration wizard but don’t click on Next in the Service account step. Leave the wizard on standby.

Copy the files UserLock.cfg and UserLock.mdb located in the folder “c:\program files\ISDecisions\UserLock” from the old server to the new server.

Stop the UserLock service on the old server

Click Next in the UserLock configuration wizard on the new server. The new service is automatically started and is working.

Uninstall UserLock from the old server or at least disable the service to avoid conflicts between the two servers.

I get an HTTP error 404 File not found when I try to use the web interface. How do I fix this?

The ASP.NET needs to be enabled in IIS.

On Windows 2000/2003 you can install ASP.NET with the following command line:
\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe –i
On Windows 2008 the following IIS roles services are needed:
- IIS 6 metabase compatibility (Without it the web configuration tool will not detect that IIS is installed)
- Windows authentication
- ASP.NET
On 64 bits servers you need to make IIS run in 32 bits mode with the following command line:
cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1

I can’t see terminal sessions on my terminal server in UserLock but I see the local console session. What’s the problem?

Open the terminal services console (in administration tools) from your terminal server and display the RDP connection properties. In the general tab the setting “Use standard Windows authentication” should be unchecked. For Citrix terminal server you need to do same for the ICA connection.

The UserLock server generates many logon events on my computers. How can I avoid this?

UserLock regularly checks the agent status and tries to retrieve lost logon events on all workstations of the protected network zone. That's why logon events are generated.
You can slow down the check speed by adding the following registry value on the server:
- 32 bits: HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\WaitBetweenCheck = (DWORD)
- 64 bits: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ISDecisions\UserLock\WaitBetweenCheck = (DWORD)
This value corresponds to the time interval in ms. Default value is 500 (an half second between each computer). If you set for example 5000 (each 5 s) you will get 10 times less logon events.
A service restart is needed after creating or changing this value. This setting only works on UserLock 3.5 or more.

I get an "Server error in '/Uladmin' application" when I try to use the web interface. How do I fix this?

When trying to use web interface, this error displays:

"Runtime error" through an Internet browser.
" The current identity (NT AUTHORITY\NETWORK SERVICE) does not have write access to 'c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files' " through the browsing inside IIS manager mmc.

The problem comes from the Network Service which doesn't have sufficient right.

This Microsoft article will explain you how to grant the "Network Service" right and solve your problem.

You can grant access to this account explicitly using the aspnet_regiis -ga switch, for example:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215>aspnet_regiis -ga "NT Authority\Network Service"

UserLock 6.02

Fixed: On Windows server 2008/2008 R2 the UserLock console did not ask the privilege elevation
Fixed: In the web configuration tool the Upgrade button was not grayed when the console configuration was up to date
Fixed: Bugs in reports when used with a MySQL database
Fixed: Some bugs in reports when launched from the web interface
Fixed: Bug when decreasing consumed time and UserLock was installed in French
Improved: A deleted account is removed from the session database after 2 days if the account has no session. If the account has session it will be removed after 30 days.
Fixed: IIS sessions could not be reset in some cases
Fixed: Consumed time for quota was not maintained on the backup server
Fixed: It was not possible to decrease consumed times for more that the quota period. Same problem on quota information displayed in the welcome message.
Fixed: It was not possible to reset sessions with local accounts
Fixed: The logoff of a previous session was not working on Windows 2000 computers
Improved: A different message is displayed to the user when a session is closed in reason of a maximum session length rule (SESSION_LENGTH_LOGOFF) and in reason of maximum locked time (SESSION_LOCKLENGTH_LOGOFF).
Added: Dutch translation of messages displayed to users (Thanks to a customer from The Netherlands).
Fixed: If a localization mask was provided to extract the room and the building from the computer name, bogus sessions were displayed in the sessions by computer view.
Fixed: Applying server properties on the web console was generating the error message "The specified cast is not valid"
Fixed: The Userlock agent could consume 100 % CPU time on one thread on computers with many logons denied by Windows (e.g. public terminal servers attacked by bots).
Fixed: If the length of the protected zone name was exceeding 512 characters (many OUs with long names) the UserLock server automatically switched to the whole domain as protected zone.
Fixed: If IIS sessions were controlled on an IIS application pool with a : char in the name an exception occurred when displaying the user session view in the console.

UserLock 6.01

Fixed: Bug in Windows and Web administration consoles if the protected zone was composed by several Organizational Units (OU): only the first OU was displayed in the UserLock server properties
Fixed: Bug in the "Protected accounts" view of the Web administration console, if the auto filter was enabled then: "Properties" was displayed in the filter header, and an error page was displayed if it was selected
Fixed: Bug in the "User sessions" view of the Web administration console, if the auto filter was enabled then: "Quotas" was displayed in filter header, and an error page was displayed if filter didn't correspond to any result data or if "User sessions" contained no data
Fixed: Bug in the Web administration console: the initialization of encryption is now executed with the application pool account to prevent any permission issues with user accounts
Fixed: The "Display name" of protected accounts was not resolved after a UserLock service restart
Fixed: When NetBios and AD domain names differed, then the restrictions of OU protected accounts were not applied
Fixed: When several domains were selected in the UserLock protected zone, then only the first one was protected by UserLock
Improved: In the "Protected accounts" view of the Windows administration console, "Add Organizational Unit" (OU) now displays an edit box to be able to add an OU with no connection to Active Directory
Improved: In the welcome message, if a refused connection is listed, then a warning icon is displayed instead of the information icon
Improved: UserLock does not generate error events for a ghost session over time restrictions
Fixed: It was not possible to add computers in workstation restrictions by browing the AD.
Improved: UserLock can now display in agent distribution computers from domains outside the local forest if they are included in the protected network zone
Fixed: In the web interface it was not possible to add a time frame for only thursday
Fixed: For multi-forest environments: if no DC for a specific domain was unavailable during the UserLock service restart, then all accounts from this domain were replaced by their SID
Fixed: If a protected account was renamed in the AD and the UserLock service was restarted, then it was not possible to display the properties of that protected account
Improved: If UserLock is upgraded, then the web console configuration in IIS is automatically upgraded too
Fixed: The IE9 cache was disallowing displaying up to date reports through the web console.
Fixed: The session statistics report could not be displayed from the web console. An error was generated instead.

UserLock 6.0

Fixed: Bug in english WinForms console: "Maximum session length" and "Maximum locked time" were switched
Fixed: Bug when the Desktop agent sent unsubmitted logon events for sessions with local accounts to the UserLock server: these events were not correctly considered
Fixed: Bug in protected account view of administration consoles: if semicolon was in the field "Name", "Canonical name", "Email recipient" or "Popup recipient" then error messages were displayed

UserLock 6 Release Candidate

Fixed: Bug in license count management: sessions with local accounts were counted into license count
Improved: Ergonomics of both administration consoles
Added: Documentation for all new features

UserLock 6.0 beta 2

Added: The welcome message now contains time quota information
(Please take note: This is only available for new installations. For any upgrade, you need to add manually to the Welcome message the dynamic variable “%quotainformation%”)
Added: Ability to define the length of the countdown before the logoff for sessions over time quotas (see "Logoff notification timeout" in UserLock server "Properties")
Fixed: The member names of external domain's Organizational Units are no longer prefixed by the domain protected by UserLock
Fixed: Bugs when adding time quotas to a protected account
Improved: Column names in "Consumed time" view of user sessions
Fixed: Bug when trying to display session history for local accounts via right mouse click
Improved: AD tree in the user view now displays all local accounts in the "Local accounts" node
Fixed: AD tree in the user view now saves the last selected node to display it again the next time
Improved: Icons of IIS sessions inserted into reports
Improved: Update of all Web console icons
Added: New reports in Web administration console: "Session count evolution", "RAS / VPN history", "RAS / VPN users statistics"
Improved: Unit change for "RAS / VPN users statistics" (all but "Session count" graph type) reports: the unit is now “hours" instead of "days"
Fixed: Bugs when computing "Average time per working day" and "Average time per week" into "RAS / VPN users statistics" reports
Fixed: Bugs when modifying protected account restrictions with no intermediary validation between actions

For a comprehensive list of all new features please read the following document: What's new in UserLock 6.pdf

UserLock 6.0 beta

Added: Audit and display session with local accounts
Added: Protection of IIS authenticated sessions (e.g. control access to Outlook Web Access or an Intranet)
Added: Ability to define daily, weekly or monthly quotas
Added: Additional type of account protection: OU (Organizational Units) users. Added to protected users and protected groups.
Added: Ability to define restrictions on workstations with the OU (Organizational Unit) of computers.
Added: Ability to add multiple OUs in a protected zone
Added: Specialized reports for RAS sessions (History, Evolution and Statistics)
Added: New report that displays the progression of the total number of opened sessions
Added: New popup technology to replace the deprecated Microsoft Messenger service technology
Added: Ability to send messages (displayed in a popup) to users from the UserLock console
Added: New server properties to automatically logoff exceeding sessions (oldest or newest first)
Added: New server property to carry over unused time count
Improved: The UserLock service account no longer requires administrative rights on the UserLock server itself
Improved: If many protected accounts are configured (more than 100), the protected accounts view is displayed faster
Improved: The protected accounts synchronization with the backup server has been optimized (only modified protected accounts are synchronized)
Improved: The UserLock service starts faster in case of large AD environment or bad connectivity with domain controllers
Improved: User names are updated every 24 hours

For a comprehensive list of all new features please read the following document: What's new in UserLock 6.pdf

UserLock 5.52

Fixed: Customized logo header and footer were not displayed when a report was generated from the web interface
Fixed: When displaying the session history of a user/computer from the web interface by clicking on the user/computer link, denied logons were not include in the report
Fixed: The IAS agent was not writing in its log file in Windows 2008/2008 R2. On these versions of Windows the path of the log file is now c:\ProgramData\ISDecisions\UserLock\UlIasAgent.csv
Fixed: Some bugs in the IAS agent on Windows 2008/2008 R2
Fixed: The IAS agent was breaking down the computer authentication for Wi-Fi access points
Fixed: A compatibility problem with NComputing terminal servers
Improved: Recovery of the console if the layout or the default UI settings become corrupted.
Improved: The agent automatically increases the retry time interval when trying to send unsubmitted logon events to the UserLock server in order to avoid overloading the server after a long time of unavailability.
Improved: Logoff in reason of time restrictions of many sessions on terminal servers
Fixed: mail notification were not always sent during the logoff of a member of a protected group
Improved: Better error handling when scheduling reports
Fixed: If sessions were closed or opened since the last web console refresh a logoff/lock/reset from the web console may be applied on a wrong session.

UserLock 5.51

Fixed: In some cases, when the UserLock primary service stopped, some communication pipes remained open and agents did not failover on the backup server
Fixed: A problem when displaying reports from a MySQL database
Fixed: The configuration tree did sometimes not show up any longer and the console layout needed to be reset.
Fixed: Protected account settings for remote access sessions were not synchronized with the backup server
Improved: An infinite loop protection when a protected AD global group was member of itself in order to avoid that the service hangs in this situation.
Fixed: In the web interface, the hour restrictions mode was not reflecting actual settings on the server and changes did not take effect.
Improved: The Windows console has been optimized to manage more than 10 000 users and more than 10 000 computers.
Fixed: If an exception occurred inside the service, a memory leak might have occurred in some cases.
Fixed: Every minute, the service has been generating an unneeded workload in the lsass.exe process and could slow down logons controlled by UserLock.
Fixed: UserLock performance counters were not working from a terminal session
Fixed: UserLock performance counters did not work in a counter log because of security issues except if the account of the service "Performance logs and alerts" was switched to localsystem.
Fixed: The backup server was sometimes incorrectly displaying some sessions as orphaned.
Fixed: The UserLock service was sometimes hanging while stopping.
Changed: The GINA chaining registry value OldGinaDll has been renamed to UlOrigGinaDll to avoid a conflict with Avatier Password Station that uses the same value. Upgraded agents will still use the value OldGinalDll for compatibility with old installations.
Improved: The UserLock GINA now exports WlxReconnectNotify and WlxDisconnectNotify functions in order to improve compatibility with other GINAs
Fixed: In hour restrictions, times were not always displayed in US format if US culture was defined
Fixed: For Windows Vista/7 workstations if the logoff could not be notified to the UserLock server, the previous session was not automatically cleaned when a new session was opened on the workstation.
Fixed: UserLock was unable to get the member list of nested groups from another domain
Fixed: Editing a time frame was resetting concerned session types to interactive
Fixed: Editing a workstation restriction or a custom session limit was also resetting concerned session types to interactive in the web console
Fixed: A compatibility issue with Kbox on Windows Vista/7 computers
Fixed: Modifying an hour or workstation restriction and applying it several times was duplicating it

UserLock 5.5

Fixed: A parenthesis "(" or ")" in a user display name was generating an exception in the UserLock console
Fixed: The SysLocator was crashing when some Vista workstations had more than one session.
Fixed: If a deleted account was still listed in UserLock access permissions the console was unable to display server properties.
Added: The agent can now notify a lock notification when a password protected screen saver starts (In agent distribution properties select "Consider screen saver time as locked time"). In previous version the lock event was notified only when the session was resumed and the locked notice displayed. (Agent update needed)
Added: UserLock can now logoff automatically a session that is locked for more than a specified time. In concerned protected accounts select "Maximum locked time" and specify a number of minutes. Combined with the ability to notify a lock event when the screen saver starts, sessions can be closed after a specified time of inactivity. (Agent update needed)
Added: Ability to power off computers from the console
Added: Ability to deploy agent settings with group policies. This is useful if you already deploy the agent with the msi package through group policies. The .adm file is installed in the UserLock program folder. (Agent update needed)
Improved: Ability to use a large number of protected accounts (up to 10000).
Fixed: The Session statistics report did not show up in the web console and was not generated when scheduled.
Fixed: The UserLock agent service on Windows Vista/2008/Seven/2008 R2 was in some case starting too slowly disallowing to control the first session after a boot if the user was very fast to enter his password. (Agent uninstallation and reinstallation needed)
Fixed: When new settings of a protected account were applied several times it could duplicate workstation restrictions, time frames or custom limits.
Improved: The query of the session history report was optimized in order to display the report faster.
Improved: The session history report can now display independently logons denied by UserLock and logons denied by Windows (e.g. Invalid password).
Fixed: Some bugs in the session history report
Fixed: When the number of user sessions was exceeding the license no error events were generated to warn the administrator
Fixed: In some case an exception was occurring when displaying the dashboard or sessions by machine
Fixed: Applying new properties on the primary server with the web interface was unregistering the backup server and sessions were no longer synchronized
Fixed: When a protected account was created in the web console with a different case than the AD, displaying immediately properties was generating an exception.
Fixed: The Windows console was allowing removing and adding protected accounts on the backup server even that a UserLock backup server is read only.

UserLock 5.01

Fixed: A slash (/) or a colon (:) in a user display name was generating an exception in the UserLock console
Fixed: The error management while uninstalling an agent was not displaying an intelligible message in case of error (Unexpected error while executing the command).
Fixed: A bug in the AD tree if a domain contained several OUs with the same short name
Improved: The UserLock console no longer requires administrative rights
Improved: The UserLock console displays now a message when the user is not allowed to administrate UserLock
Fixed: The context menu on tabs was not working
Added: The RemoteApp feature of Windows 2008 terminal services is now supported
Added: Citrix XenApp is now supported as terminal server
Fixed: The Windows Vista/2008 agent was launching the 32 bits UserInit.exe executable on 64 bits machines
Fixed: Some column names in the raw data of the Session statistics report were in French
Fixed: In some cases the agent distribution computer list was empty and an error event was generated in the server application log (source UL2000) with "Invalid parameter detected" in the description.
Fixed: It is possible again to add local groups and local users in the UserLock permissions
Fixed: An access violation exception (Event id 700) in the UserLock service when a user was removed from the AD but a session was still registered in UserLock for him.
Fixed: After changing the connection string in the server properties the create table button did not work if you did not apply the new settings before (Error: "Failed to create the table! [Microsoft][ODBC Driver Manager] Function sequence error").

UserLock 5.0

Updated: The license protection system was enabled again. Current customers can install and use this version if they have an up to date maintenance.
Added: MySQL databases are now supported through the ODBC driver (use the ODBC wizard to generate the connection string).
Improved: The user load routine when the UserLock service starts and more than 10000 users are in the session database.
Updated: The SysLocator was translated in French
Fixed: A problem disallowing the agent to start on Windows 7

UserLock 5.0 beta 2

Added: A new dashboard allowing displaying statistics in charts.
Added: A new server report to display a printable version of the dashboard.
Fixed: Resetting RAS sessions is now possible.
Fixed: Hyperlink allowing displaying the session history on a user is restored in the web console.
Fixed: AD tree is correctly displayed in the Windows console if more than one domain are in the protected network zone.
Fixed: AD tree is now kept after refreshing the agent distribution view in the Web console.
Fixed: Database reports can use again wildcard in the following field filters: user name, computer name, client name, client address.
Fixed: Various corrections of interface texts.
Improved: Web console keeps user settings (filter, view mode, lines per page ...)
Updated: French version is available.
Updated: SysLocator has been updated to a new version (you need to upgrade the IIS virtual folder with the Web configuration tool).

UserLock 5.0 beta

Improved: Brand-new tabbed interface (Web & Windows)
Added: Protection of RAS sessions on a RRAS server or on a hardware router with RADIUS authentication on a IAS server.
Added: Extended filter/sort and group capabilities
Improved: UserLock Reporter is directly integrated into the console.
Improved: UserLock Logon Cleaner is directly integrated in the console.
Improved: UserLock Scheduler is directly integrated into the console.
Added: Generation of reports can easily be scheduled without writing command lines. Reports can also be automatically sent to an E-mail recipient.
Improved: The Active Directory tree can be displayed for the Agent Distribution view and the Session view by computers.
Improved: UserLock reports now use a new report engine and a new report design.

For a comprehensive list of all new features please read the following document: What's New in UserLock 5.pdf

UserLock 4.02

Added: Windows Server 2008 compatibility
Added: Ability to monitor logon denied by Windows (invalid password). These events can be displayed to users in the welcome message. Audit logon events policy needs to be enabled for failure events for all protected computers (doable through group policies). For more information click here
Fixed: Some issues with Windows Vista and Windows Server 2008
Fixed: Service wasn't stopping properly in case of a server shutdown/reboot
Fixed: If a maximum session time was set immediately after the installation of UserLock all already opened user sessions could be logged off in some specific cases.
Improved: Ability to use a localization mask with a naming convention that identifies building with letters (A,B,C,...). New wildcards to be used in the mask are: * = Building, % = Room, ? = Machine. Localization masks using the previous system will still work. For more information click here
Fixed: A potential deadlock in the UserLock service
Fixed: When trying to uninstall the agent from a computer without the agent installed a wrong error message was displayed

UserLock 4.01

Fixed: The previous session logoff dialog was not fully translated in English
Fixed: A memory leak in the backup server
Fixed: A session with a local account was sending connect/disconnect notification to the UserLock server leading to an error event
Fixed: In some cases the web interface was unable to display reports
Fixed: The welcome message wasn't displayed after the logoff of a previous session
Improved: UserLock service dependency to the workstation service
Fixed: If the logon rate was too high, the transaction log (ulagent.log) was not regularly cleaned
Fixed: If a protected account was based on a universal group, UserLock wasn't including members of other domains in the list of concerned users.
Fixed: If a UserLock admin had only the right to administrate sessions he was unable to display reports because he was not allowed to retrieve the database connection string.

UserLock 4.0

Fixed: Internal exceptions when the user session list was empty.
Fixed: Crash of the session statistics report when the database was empty.
Fixed: The ascending/descending order radio buttons were not working correctly in the session statistics report.
Fixed: Some temporary files were not cleaned while generating report in a batch or in a scheduled task
Fixed: When disconnecting a locked terminal session the UserLock service was sometimes thinking that the session was still active.
Fixed: The permissions tab and the user sessions by computer view were not grayed on backup servers

UserLock 4.0 release candidate

Updated: The help file was updated. The online version is available here.
Improved: Button sizes in the web console
Improved: Some internal improvements in the UserLock service
Fixed: A bug was making crash the MMC console in some cases while refreshing the view
Fixed: A bug in hours management when a session needed to be closed at 12:00 AM
Fixed: A handle leak while sending E-mail notifications
Fixed: Two memory leaks in the UserLock service
Removed: The beta warning

Important! Existing customers with an up to date maintenance need to ask for their new UserLock 4 license key before installing this new version on their network.

UserLock 4.0 beta 2

Fixed: A bug in the web console while displaying sessions by user.
Added: The new license system was integrated. Current customers with an up to date maintenance can already ask for their UserLock 4 license key
Fixed: A bug leading to users with empty names.
Fixed: A bug while deploying the agent on Windows Vista computers
Improved: All executables including the installation package are now signed
Added: Ability to print the pages User sessions and Agent distribution from the web console.
Improved: During a migration from UserLock 3 if the group UserLock Admins exists, UserLock administration rights are automatically added for this group.

Please also read comments of the previous beta version

UserLock 4.0 beta

What's new in UserLock 4

New: Ability to define working hours for protected users
New: Ability to define maximum session time for protected users
New: Ability to define maximum group limits
New: The administrator will have the possibility to enable an option allowing users to remotely close their previous session as they logon to another computer.
New: Ability to define access rights to the UserLock administration console,
New: Ability to breakdown the computer name syntax into a readable format in order to locate computers (building/room).
New: Ability to customize the console’s User sessions view
New: The web console can display the user session and agent distribution result in paged mode
New: Multi selection in the User sessions view of the MMC console
New: Ability to customize the agent distribution view
New: The user display name is now displayed in the user sessions view of the console and in reports instead of the user account name.
New: Terminal session connection/disconnection tracking
New: Ability to enable a public Web interface (SysLocator) allowing users to locate free computers
New: Ability to automatically generate reports at regular intervals
New: Two new reports (printable version of what you see in the console) Agent Distribution and User sessions In order to avoid any misunderstanding the old “User sessions report” was renamed into “Session history”.
New: Ability to display reports from the Web console
New: The UserLock agent will send its status at each computer startup
New: The agent will notify to the server any computer crashes to fix the session database.
New: The UserLock agent will regularly try to send unnotified logon events to the server.
New: Support of Windows Vista

This version will display a warning message to users saying that this beta version should only be installed on a test environment. If you want to install this beta version on your production environment please enroll to the UserLock 4 beta program by sending a mail to support@isdecisions.com
This beta version will expire end July.

UserLock 3.53

Fixed: The UserLock server no longer tries to deploy the GINA agent on Windows Vista computers. "OS not supported" is returned.
Added: Support of the beta version of the new Windows Vista agent that can be downloaded from the following link:
http://www.isdecisions.com/download/ULAgentVista.msi
You need to install manually the msi file on each Windows Vista machine to protect. You will get more information about the setup in the following document:
http://www.isdecisions.com/download/ULAgentVista.pdf
Fixed: In some cases a communication problem was leading to display invalid characters.
Fixed: In some rare cases the database insertion thread was crashing while connecting to the database.

UserLock 3.52

Fixed: The protected zone was not configured correctly for domains with a NetBIOS name different than the hostname. Symptoms: Just the server itself was displayed in agent distribution.
Fixed: The web interface configuration tool was changing the authentication mode on the root folder of the IIS site instead of doing it directly on the UserLock virtual folder.
Fixed: A UserLock service installed on a Windows 2003 SP1 server was unable to deploy the agent on 64 bits computers
Improved: User accounts are now sorted by name in the web interface
Fixed: A problem while sending E-mail notifications to some specific SMTP servers
Fixed: The UserLock service was hanging in some cases (Error 0x0000079 in the console)
Fixed: A few bugs in reports
Fixed: A bug in the LogonCleaner.

The version of the agent did not change.

UserLock 3.51

Fixed: A bug in the communication between the web console and the UserLock server. The user sessions list or the agent distribution list were incomplete in some cases.
Fixed: A bug in the policy.
Fixed: In some rare cases if an internal exception occured in the UserLock service users were unable to logon (a service restart was needed to fix the problem).
Added: Abitity to reboot computers through the MMC administration console (Already available in the web console).
Fixed: A few bugs in the web console
Improved: The user sessions report show up faster
Fixed: UserLock was not working correctly on domains with an '@' character in the NetBIOS name.
Fixed: Citrix presentation server 4.0 register now its GINA in a different way and this was leading after an upgrade of both products to the unability to open ICA sessions (the logon hang).
Improved: When a computer is removed from the domain with a session registered in UserLock the session is now automatically removed.

Important! For existing customers, the upgrade procedure was updated in the FAQ. Please take a look.

The version of the agent did not change.

UserLock 3.5 final release

Fixed: The database insertion thread was crashing in some case disallowing any new insertions
Fixed: UserLock 3.5 beta 2 was unable to logoff/lock users with the administration console
Fixed: Database connection string changes through the web interface were not applied immediately
Fixed: The 404 web page was not correctly registered in the IIS virtual folder

UserLock 3.5 beta 2

Added: Support of x64 workstations and terminal servers
Added: The UserLock server can be installed on x64 servers in the following modes: Primary server, backup server and relay server. The standalone terminal server mode is currently not supported.
Information: The x64 version of the agent is numbered 3.0.7.37 (instead of 3.0.7.35 for the x86 version)

UserLock 3.5 beta

New!

Ability to Logoff/Lock/reset several sessions at a time
Ability to reboot workstations
Ability to only display users with an active session

Reports cannot be displayed
The database wizard cannot be used to configure the database connection string
You cannot browse for computers or user accounts
You cannot start the Logon cleaner

All other components are exactly the same as in UserLock 3.05.

UserLock 3.05

Fixed: A memory leak in the service when the network zone was an Organization Unit.
Improved: If the service is unable to retrieve the computer lists from the network zone an error event is inserted only if the problem occurs during more than 30 min (e.g. DC unavailable)
Improved: Error handling while sending E-mail notifications

UserLock 3.04

Fixed: If the UserLock service was installed on a Windows server 2003 the console launched reports on the default database with a wrong connection string.
Fixed: In the User sessions report the total computer time was wrong in some cases
Fixed: Wild card characters were not working when using the User sessions report on a MS Access database
Fixed: The configuration wizard was unable to display organizational units on domain with a NetBIOS name different from the DNS name.
Improved: If the global catalog is too big the configuration wizard list only OUs in the local domain.
Fixed: When the remote registry service was not running on workstations the agent status was false (Upgrading (Waiting for reboot)) and the deployer did not report any error while installing the agent.
Fixed: Reports were printing the result on two US letter pages instead of one. If you still have the problem please contact us at suport@isdecisions.com.

UserLock 3.03

Fixed: A bug in the database insertion. An invalid character was added at the end of strings for some databases
Added: Ability to display a welcome message to the user with information about the last logon. You can configure this in protected accounts. You need to deploy the new agent for the feature.
Improved: AD tree is displayed faster in the Configuration wizard.
Improved: The service loads the computer list faster from organizational units
Added: In the User sessions report. The ability to filter computers with wildcards (*,?). For example to only display the report for room (example ROOM10*).
Added: The User sessions report can display the computer occupation percent during the report period and you can also specify the total number of computers for the calculation.
Fixed: The uninstall link was not checking if agents were still deployed

UserLock 3.02

Fixed: A bug while trying to send a test E-Mail or while specifying a new database connection string in the console (Unable to read data & Permanent error)
Added: Ability to only display user sessions outside working hours in the User sessions report
Added: Ability to group logons by user, domain, computer, client name or client address in the User sessions report.
Improved: During an administrative logoff or lock if the session was not found the session is removed from the database
Improved: Auto reconnection to the database after a connection failure
Improved: The deployer can detect IP conflicts to avoid the generation of events 3034:MRxSmb or 4:Kerberos (KRB_AP_ERR_MODIFIED). To enable this you need to create the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\CheckIpConflict = REG_DWORD:1 When done restart the UserLock service. The status of all faulty computers will display "Invalid address"
Added: The Logon Cleaner allowing you to regularly delete old logons in the UserLock database to save disk space. You can schedule the logon cleaning.
Fixed: The deployer was unable to update the agent on computers with a third party GINA installed
Improved: the export button for reports is available directly in the viewer

UserLock 3.01

Fixed: After registering the backup server client workstations were configured only after the next service start.
Fixed: After a workstation reboot the UserLock server was not able to detect lost sessions on this workstation.
Fixed: Client restrictions were not applied on terminal sessions during a session reconnection
Added: Ability to specify a computer name (instead of selecting the computer in the browser) in client restrictions
Fixed: A communication problem between the console and the server occuring only in rare cases (Symptom: incomplete computer and session list).
Fixed: Crash of the USerLock service if not enough swap file was available on the server.
Fixed: For workstations with a NetBIOS name with more than 15 characters the logoff was sometimes locking up the workstation.
Fixed: In evaluation mode the lock/unlock activity was not inserted in the database
Fixed: The export in CSV was not working in reports
Fixed: A bug that was leading in some cases to a service hang
Added: Abiliy to import automatically at the first service start-up settings of a previously installed copy of Userlock 2.x (except deployment settings)

UserLock 3.0 final release

Fixed: a bug in the logon policy
Improved: final version of the help file
Added: Error events for helping to understand problems during synchronization, notifications, database insertions.
Improved: Access denied directly at the connection to the service if the user is not allowed to administrate UserLock.
Fixed: When locking terminal sessions from the console the session was closed instead of disconnected.
Fixed: When a logon was denied for a terminal session a logoff was generated immediately after.

Information: This version is compliant with the agent of all versions greater or equal than 2.4. However if a UserLock 2.xx agent is deployed you should upgrade the agent as soon as possible to get all new features working.

UserLock 3.0 beta

New features:

Ability to protect terminal sessions. RDP sessions (Microsoft) and ICA sessions (Citrix)
Ability to protect standalone Terminal servers in a worgroup (using local accounts)
Backup servers (one for each primary server)
Ability to protect several domains with one primary server
Ability to protect only 1 organizational unit in a AD domain
Ability to log lock/unlock events on workstations
Ability to insert logon/logoff/lock/unlock events in a ODBC database
Two printable reports "User Sessions report", "User sessions statistics"
Regular check on all workstations for unknown sessions
Ability to logoff users in the UserLock console

Information: This version is compliant with the agent of all versions greater or equal than 2.4. However you should upgrade the agent as soon as possible to get all new features working.

UserLock 2.65

Improved: Deleted account are automatically removed from the user sesssions report (when the service starts)
Improved: Accounts with a last logon time older than 1 month are automatically removed form the user sesssions report (when the service starts)
Fixed: a bug leading to a periodic service crash in some cases
Fixed: The logons can be ordered according the logon/logoff time in the console
Fixed: Displayed columns can now be customized in the console

UserLock 2.64

Fixed: Bug in the policy settings

UserLock 2.63

Improved: Use 10 times less CPU
Improved: The agent doesn't display an error message during the logoff when the workstation is unplugged (for laptops)
Improved: Ability to display variables (%sessions%) in denied messages.

UserLock 2.62

Improved: If a user has exceeded the number of allowed sessions UserLock check that he's really logged on all computers before giving a negative answer. This feature require to upgrade to the new agent.
Improved: The deployment thread ping all computers before trying to connect to them in order to avoid long timeouts. If needed the ping can be disabled with the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\NoPing = 1 (DWORD)
Improved: The multiselection is now allowed when adding restricted/allowed workstations (Windows 2000).
Fixed: Bug in the notifications. The already logged on computers were not displayed since the 2.6 version.

Information: This version is compliant with the agent of all versions greater or equal than 2.4.

UserLock