UserLock API
|
UserLock server properties. More...
Inherits UlServerComponent.
Public Member Functions | |
override void | GetInfo () |
Refresh all UserLock server properties from the server. More... | |
void | GetInfo (ServerPropertyList propertyList) |
Refresh selected UserLock server properties from the server. See the enum ServerPropertyList. More... | |
override void | SetInfo () |
Update all UserLock server properties from the local ServerProperties instance to the server. More... | |
void | SetInfo (ServerPropertyList propertyList) |
Update selected properties from the local ServerProperties instance to the server. See the enum ServerPropertyList. More... | |
void | ResetGUID () |
Reset server GUID. More... | |
void | BlacklistUser (string accountName) |
Blacklists a user. More... | |
Properties | |
Permissions | Permissions [get, set] |
Get/set UserLock administration permissions. See class Permissions More... | |
bool | AuditNotifications [get, set] |
Enable/disable the notifications by email for UserLock configuration modifications. More... | |
String | AuditRecipient [get, set] |
E-mail recipients for E-mail notifications of UserLock configuration modifications. More... | |
string | AdminAccount [get, set] |
Account that will be used to deploy the agent and logoff sessions More... | |
string | AdminDomain [get, set] |
Domain of the admin account More... | |
string | AdminPassword [get, set] |
Password of the admin account More... | |
int | SSHSleepDelay [get, set] |
By default, 100. Delay (in milliseconds) for each SSH internal action. More... | |
bool | ClientIPOldMethod [get, set] |
Revert back to old behaviour concerning ClientIP for workstation sessions. More... | |
OfflineMode | InaccessibleAction [get, set] |
Action to be taken for interactive connections (logons, unlocks, reconnections) if the UserLock server is inaccessible. More... | |
String | IisMfaRedirectUrl [get, set] |
URL to redirect when MFA is required for IIS. More... | |
String | IisMfaRedirectUrlPrivate [get, set] |
URL to redirect when MFA is required for IIS, on private networks. More... | |
bool | MacSecurityActive [get, set] |
Enable security checks for Macs More... | |
String[] | IpConsideredOutside [get, set] |
List of IP addresses to be considered as outside the network (considered as indeterminate). This can be useful for requesting the MFA for RDP sessions through a gateway, in which case you will need to add the gateway's IP address to this list. IPv4 ranges in 'ip/bits' format such as '192.168.1.0/24' are supported. This setting has a lower priority than the 'IpConsideredInside' setting. More... | |
bool | EnforceIISMFAAppIdentity [get, set] |
Enforce that remote MFA Apps for IIS are not run by users. More... | |
EnableMfaFallbackMode | EnableMfaFallback [get, set] |
Enable (default): Allow users to configure up to two MFA methods. Disable: Allow users to configure only one MFA method. Force: Force users to configure two MFA methods. More... | |
uint | MaxHotpCodeCount [get, set] |
Maximum number of out of sync HOTP codes (between UserLock server counter and hardware token counter) accepted. The authorized values for this setting are between 3 and 50 (by default 6). More... | |
string[] | IisMfaDisabledForPath [get, set] |
Some IIS applications cannot support MFA. Each entry in this list should be the path from the root (excluding the first separator) This is case insensitive. More... | |
bool | MfaRecoveryCodeEnabled [get, set] |
Enable configuration of recovery codes for MFA. Recovery codes are one time usage codes generated at configuration of MFA. More... | |
uint | MfaRecoveryCodeCount [get, set] |
When recovery codes for MFA are enabled, the number of codes generated to the end user. More... | |
bool | MfaVpnChallenge [get, set] |
Enable this setting if your VPN server supports RADIUS challenge for multi-factor authentication. If this option is enabled, no 'MFA failed' event is inserted into the database during the first step of an MFA VPN connection. More... | |
string | UrlToContactOverInternet [get, set] |
Public URL for the UserLock Anywhere application. When configured, this allows the UserLock desktop agent to contact the UserLock service when the machine is outside of the network. More... | |
String[] | IpConsideredInside [get, set] |
List of IP addresses to be considered as inside the network (considered as private addresses). IPv4 ranges in 'ip/bits' format such as '192.168.1.0/24' are supported. This setting has a higher priority than the 'IpConsideredOutside' setting. More... | |
bool | OnlyOneActiveSessionLogoffIOLock [get, set] |
Enable configuration of recovery codes for MFA. Recovery codes are one time usage codes generated at configuration of MFA. More... | |
string[] | IisProxyList [get, set] |
By default, empty. List of trusted proxies that can forward the real client IP address for IIS sessions More... | |
string[] | AuthorizedToDelegate [get, set] |
By default, empty. List of computers trusted for agent delegation More... | |
int | SessionsWithoutNetworkLogoffAgentInternet [get, set] |
The number of minutes the Desktop agent will wait between each request for the list of sessions to interact with. We recommend that you do not configure with less than 10 minutes so as not to increase the workload of UserLock. By default this feature is disabled (-1). More... | |
String | OutOfSyncTimeEmailRecipients [get, set] |
List of emails recipients for notification when the UserLock service detect the time is out of sync. More... | |
String | OutOfSyncTimePopupRecipients [get, set] |
List of popups recipients for notification when the UserLock service detect the time is out of sync. More... | |
bool | DisableMFAForIIS [get, set] |
Disable MFA for IIS, regardless of effective restrictions. More... | |
bool | DisableMFAForVPN [get, set] |
Disable MFA for VPN, regardless of effective restrictions. More... | |
int | MaxTotpCodeCount [get, set] |
Maximum number of out of sync TOTP codes (between UserLock server time and smartphone or hardware token time; past and future) accepted. The authorized values for this setting are between 0 and 10 (by default 2). As this setting concerns past and future desynchronizations and the TOTP codes are renewed every 30 seconds, the effective number of desynchronized TOTP codes accepted is therefore (2 * (the value of this setting) + 1): the TOTP code of the current time, the TOTP Code for the current time minus AND plus 30 seconds, the TOTP code for the current time minus AND plus 60 seconds, etc. More... | |
bool | DisableNtpCheck [get, set] |
Disable NTP checks that occurs when an MFA code is invalid for TOTP method. This permit avoiding connecting to the internet and/or having agent freezing when waiting for validation about an invalid code. More... | |
bool | EnforceAgentMachine [get, set] |
If enabled, requires NPS agents to run as one of the computer accounts (LocalService, LocalSystem, or NetworkService) and IIS agents to run as one of the built-in accounts (ApplicationPoolIdentity, LocalService, LocalSystem, or NetworkService). More... | |
bool | PushEnabled [get] |
If the push are enabled. More... | |
bool | AllowUserAuthenticationModeAgents [get, set] |
If enabled, allows agents to log in to the UserLock service as the user account that is generating a session event (not recommended). More... | |
String[] | CustomAppPoolIdentityWhitelist [get, set] |
List of custom App Pool Identities whitelisted. More... | |
bool | AllowUnencryptedAgents [get, set] |
If enabled, allows unencrypted communications between agents and the UserLock service (not recommended). If the value of this variable is modified, a restart of the service is necessary for this modification to take effect. More... | |
int | MaxMfaPollingTime [get, set] |
Maximum time (in minutes) the agent will wait for MFA, and if Push are enabled, the maximum time agents with poll the service to check for Push validation. Minimum 3, maximum 15, Default 5. More... | |
bool | ResetSimilarWifiSessions [get, set] |
If enabled (disabled by default), resets previous Wi-Fi sessions if a new similar (same user and same client) Wi-Fi logon event occurs. More... | |
String[] | CustomUserAgentMfaWhitelist [get, set] |
List of User-Agent or families of User-Agent that will be marked as supporting HTTP redirections properly in order to display MFA on IIS sessions. The UserLock server has an internal list for known browser already. More... | |
bool | DesktopAgentViaAnyWhere [get, set] |
Force desktop agent to communicate via UserLock AnyWhere. More... | |
General | |
ServerMode | ServerType [get] |
Type of UserLock server. See the ServerMode enum. More... | |
bool | MostRestrictive [get, set] |
Choose between the "Most restrictive" policy (True) and the "Least restrictive" policy (False). More... | |
string | LocationMask [get, set] |
Read/write the localization mask allowing to extract buildings and rooms from workstation names. More... | |
bool | WakeupWhenNeeded [get, set] |
Get/set if a wake up order needs to be sent to a computer in sleep mode or powered off when a session on it is blocking an action More... | |
bool | LogoffExceedingSessions [get, set] |
Get/set if UserLock should automatically logoff sessions for users that have been able to open more sessions than allowed. More... | |
ExceedingSessionsOrder | ExceedingSessionsOrder [get, set] |
Get/set the logon time order for closing sessions exceeding the limit. See the enum ExceedingSessionsOrder. More... | |
bool | CarryOverUnusedTimeCount [get, set] |
Get/set if the unused session time regarding time quota are carried over the next period. More... | |
int | TimeQuotasLogoffCountdown [get, set] |
Get/set the number of minutes to display the logoff notification message before closing a session in reason of exceeded time quota More... | |
int | LocationMapCount [get] |
Get the count of items in the location map file More... | |
string | ServiceVersion [get] |
Get the version of the UserLock service. More... | |
string | ProtectedZone [get] |
Get the network zone protected by the UserLock service (Primary server mode). More... | |
bool | AuditQueries [get, set] |
Get/set if UserLock should register an entry in the EventLog when a setting is queried. More... | |
bool | UseTimezones [get, set] |
Get/set if UserLock should use client time instead of server time to apply time restrictions More... | |
User Status | |
int | DaysActivityOver [get, set] |
The number of days of inactivity after which user accounts without a session will be cleaned up. More... | |
uint | InactivePeriod [get, set] |
Get/Set the days inactive to consider the users as new ones. This variable has to be always less than DaysActivityOver. More... | |
uint | InactivityThreshold [get, set] |
Get/Set the days inactive to consider the users as inactives. This variables has to be always less than DaysActivityOver. More... | |
CustomSessionLimits | CustomSessionLimits [get, set] |
List of concurrent session limits for different kind of sessions to consider the users as suspicious if they are over passed. I_NOTCONFIGURED if no limit is set, I_UNLIMITED if unlimited. More... | |
int | ConcurrentInitialAccessPointsLimit [get, set] |
Get/Set the concurrent initial access points limit to consider the users as suspicious if it is over passed. I_NOTCONFIGURED if no limit is set, I_UNLIMITED if unlimited. More... | |
uint | DeniedLogonsByUl [get, set] |
Get/Set the number of denied logons, by UserLock, during a period to consider the users as suspicious. More... | |
uint | DeniedLogonsByUlPeriod [get, set] |
Get/Set the period (minutes) counting denied logons to consider the users as suspicious. More... | |
uint | DeniedLogonsByWnd [get, set] |
Get/Set the number of denied logons, by Windows, during a period to consider the users as suspicious. More... | |
uint | DeniedLogonsByWndPeriod [get, set] |
Get/Set the period (minutes) counting denied logons to consider the users as suspicious. More... | |
String | PopupRecipient [get, set] |
Computer that will receive popup notifications when the user changes his status. More... | |
Notifications | PopupNotifications [get, set] |
List of all popup status notifications that should be sent. More... | |
String | EmailRecipient [get, set] |
E-mail recipients for E-mail status change notifications. More... | |
Notifications | EmailNotifications [get, set] |
List of all email status change notifications that should be sent. More... | |
bool | ChangeStatusImpersonation [get, set] |
Get/set if UserLock should change the status in case of session impersonation More... | |
bool | ChangeStatusPublicPrivateIAP [get, set] |
Get/set if UserLock should change the status in case of public and private initial access points at the same time More... | |
SMTP settings | |
string | SmtpFrom [get, set] |
Get/Set the From address for Logon/Logoff E-mail notifications. More... | |
string | SmtpServer [get, set] |
Get/Set the SMTP server address for Logon/Logoff E-mail notifications. More... | |
int | SmtpPort [get, set] |
Get/Set the SMTP port for Logon/Logoff E-mail notifications. More... | |
bool | SmtpUseSSL [get, set] |
Get/set if the UserLock server will use SSL to send E-mail notifications to the SMTP server More... | |
SmtpAuthentication | SmtpAuthentication [get, set] |
Get/set the authentication method used to send E-mail notifications to the SMTP server. See the enum SmtpAuthentication for more information. More... | |
string | SmtpAccount [get, set] |
Get/set the account used when the property SmtpAuthentication is set to ProvideCredentials More... | |
string | SmtpPassword [get, set] |
Get/set the password used when the property SmtpAuthentication is set to ProvideCredentials More... | |
License | |
string | LicenseKey [get, set] |
Get/Set the UserLock license key. More... | |
DateTime | LicenseExpiration [get] |
Get the UserLock license expiration if the license is temporary. More... | |
DateTime | MaintenanceExpiration [get] |
Get the maintenance expiration if the license is permanent. More... | |
int | LicenseMaxUsers [get] |
The maximum number of consumable licenses. More... | |
LicenseStatus | LicenseStatus [get] |
Get the status of license. More... | |
LicenseUseStatus | LicenseUseStatus [get] |
Use of the license. See the LicenseUseStatus enum for all possible values. More... | |
bool | IsEval [get] |
Read-only. true if evaluation, false otherwise. More... | |
bool | IsSubscription [get] |
Default value false. Read-only. true if subscription, false if perpetual. More... | |
bool | IsByUser [get] |
Default value true. Read-only. true if licensing by users, false otherwise. More... | |
bool | IsMspLicense [get] |
Default value false. Read-only. true if is license MSP, false otherwise. More... | |
int | NbLicenseConsumedTmp [get] |
LicensedUsers | LicensedUsers [get, set] |
Fonction uniquement avec license : IsByUser = true Liste des utilisateurs licenciés More... | |
BlacklistedUsers | BlacklistedUsers [get, set] |
Fonction uniquement avec license : IsByUser = true Liste des utilisateurs licenciés blacklisté More... | |
int | _NbLicenseConsumedTmp = 0 |
Logs | |
bool | Logs [get, set] |
Get/set if logon/logoff events are logged in the UserLock database More... | |
string | ConnectionString [get, set] |
Get or set the connection string to the UserLock database More... | |
string | DatabasePassword [set] |
Password of the database connection More... | |
string | DatabaseReadOnlyPassword [set] |
Password of the database connection More... | |
bool | DefaultDatabase [get, set] |
Get/set if UserLock use the default MS Access database More... | |
string | ReadOnlyConnectionString [get, set] |
Get/set a connection string that will be used to display reports More... | |
bool | LogsGmt [get, set] |
Get/set if UserLock insert event time in GMT (UTC). More... | |
int | SizeDataBaseQueue [get, set] |
The maximum number of events in the database queue. Default 5120, minimum 1, maximum 100000. More... | |
string | GetDatabasePassword () |
Get the password of the database. More... | |
string | GetDatabaseReadonlyPassword () |
Get the read-only password of the database. More... | |
Standalone terminal server | |
bool | TsProtectConsole [get, set] |
Get/set if the local console needs to be protected on the server (Standalone terminal server mode). More... | |
bool | TsDisplayErrors [get, set] |
Get/set if errors should be displayed to the user (Standalone terminal server mode only). More... | |
bool | TsDisableRefusedConnections [get, set] |
Get/Set if logon refused by Windows are ignored (True) or sent to UserLock (False) (Standalone terminal server mode only). More... | |
bool | TsScreenSaverAsLock [get, set] |
Get/set if screen saver time is considered as locked time (Standalone terminal server mode only).; More... | |
JoinMode | TsJoinMode [get, set] |
Get/set the join mode if a session already exists on the server for the user (Standalone terminal server mode only). See the enum JoinMode; More... | |
Synchronization | |
string | SyncServer [get, set] |
Get/set the name of the primary server (Backup server mode only). More... | |
int | SyncSize [get, set] |
Get/set maximum synchronization size (backup server mode only). More... | |
int | SyncTimeout [get, set] |
Get/set the time interval between each synchronization. More... | |
DateTime | LastSync [get] |
Get the date and time the last synchronization occurred. More... | |
int | SyncLogSize [get] |
Get the size of the synchronization file. More... | |
Advanced | |
bool | AllowSimpleReportWithUsers [get, set] |
By default, False. Get/Set wether simple reporting of user sessions with user names should be allowed (True) or not (False). If True, this report can be accessed via the REPORTMACHINESIMPLE2 UlTerm command and displays user names. If False, the response to the REPORTMACHINESIMPLE2 UlTerm command will be an error message. For this change to be applied in the SysLocator web console, it is necessary to edit the 'ProgramFiles(x86)%\ISDecisions\UserLock\WebPublic\Web.config' file, assigning True to the DisplayUserNames property. More... | |
string[] | NotCountedComputers [get, set] |
By default, empty. List of computers for which sessions will not be protected and will not be taken into account when protecting other sessions (maximum number of sessions etc.). Caution: this feature may not work as expected for logons without network connection. To avoid such problems, one solution is to use UserLock Anywhere. More... | |
int | MaxRunningLogoffThreads [get, set] |
The maximum number of running logoff threads. More... | |
bool | NoPing [get, set] |
If set, then the UserLock service will not ping before to communicate with computers. More... | |
bool | CheckIpConflict [get, set] |
By default, False. If set to True, the UserLock server will check for conflicts between IP addresses before connecting to protected computers. Therefore, in case of ghost computers in Active Directory, this will prevent from getting MRxSmb or Kerberos warnings in the System Windows log. Note that the best is to remove all ghost computers from Active Directory. More... | |
int | AdSearchLevel [get, set] |
Active Directory search level. 0 or 1: Do not search into the global catalog. 2 or more: Search into the global catalog. More... | |
int | UnavailableTimeForRemove [get, set] |
By default, -1 (disabled). If enabled and set to an N number, this setting allows the UserLock service to automatically reset interactive sessions on computers that are not accessible for at least N minutes and have not contacted the service for at least N minutes. If you change it, make sure that all machines protected by UserLock meet the requirements to avoid resetting the sessions by mistake. Keep in mind that setting a low value for this variable can cause problems for sessions opened on an inaccessible machine. This setting is not recommended because it can be considered a security breach because users can disconnect workstations from the network to get the session reset, and then connect elsewhere. More... | |
bool | RemovePreviousUnavailable [get, set] |
If set, then the UserLock service will remove sessions if user is no longer logged on. More... | |
int | WaitBetweenCheck [get, set] |
The time interval between each computer check, in milliseconds. The default value is 500 (half a second). 50 can be a good alternative to speed up verification on all computers. A restart of the service is required after changing this value. More... | |
int | NetBIOSInterface [get, set] |
The NetBIOS interface level. More... | |
bool | DeployFQDN [get, set] |
By default, True. If set to False, the UserLock server will deploy its NetBios name (instead of its FQDN name) to all computers in the network area that is protected by UserLock. Therefore, all computers in the network area that are protected by UserLock will connect to the UserLock server with the NetBIOS name (if set to False) or with its FQDN name (if set to True). More... | |
bool | DeadLockDetection [get, set] |
If set, then the UserLock service will detect deadlocks. More... | |
bool | IgnoreContraintViolations [get, set] |
If set, then the UserLock service will ignore database constraint violations. More... | |
int | NbUsersPerPacket [get, set] |
The number of users per packet used to update user data. More... | |
bool | DisableLoadBooster [get, set] |
If set, then the UserLock service will resolve accounts using no booster. More... | |
int | LogoffWaitInterval [get, set] |
Obsolete setting. By default, 1000. Number of milliseconds between each logoff initiated by UserLock. It is not recommend to set that setting to a little value if the network zone protected by UserLock has performance issues. For example, by default, if 600 sessions are to be closed, it will take 10 minutes to initiate all logoffs. More... | |
bool | VdiMode [get, set] |
By default, False. As explained at https://www.isdecisions.com/products/userlock/help/protectedsessions/interactive_sessions.htm, only remote sessions targeting server operating systems will be considered as Terminal sessions. In all other Interactive contexts, sessions will be considered as Workstation session. If set to True, all sessions opened remotely will be considered as Terminal sessions, and all sessions opened locally will be considered as Workstation sessions. More... | |
bool | UseFqdn [get, set] |
By default, True. If set to False, then the UserLock server will try to connect to all computers of the UserLock protected network zone with the NetBIOS name of each computer in place of its FQDN name. More... | |
string[] | IncludedComputers [get, set] |
By default, empty. List of computers that are not in the network zone protected by UserLock, but that you want to include in the protection. For each device, add its NetBIOS name. After that, restart the UserLock service. More... | |
string[] | ExcludedComputers [get, set] |
By default, empty. List of computers that are in the network zone protected by UserLock, but that you want to exclude from the protection. For each device, add its NetBIOS name. After that, restart the UserLock service. More... | |
string[] | ExcludedAutoComputers [get, set] |
By default, empty. List of computers that are in the network zone protected by UserLock, but that you want to exclude from the Desktop Agent auto-deployment. For each device, add its NetBIOS name. After that, restart the UserLock service. More... | |
bool | DoCompareToUserLock7Algorithm [get, set] |
If set, do compare the current result with the one of the UserLock 7 algorithm. The default value is False. It is read-only from a backup UserLock server. This property will soon be deprecated. More... | |
int | MacListeningPort [get, set] |
The TCP port used by UserLock to listen to macOS agents. The default value is 50555. More... | |
bool | SessionWithDescription [get, set] |
If set, when logoff distants sessions is also enabled, send the list of all sessions with descriptions to agents. More... | |
string | WebHookUrl [get, set] |
URL for webhook notifications. Supports HTTPS & HTTP. More... | |
int | WebHookRetryNumber [get, set] |
Number of retries for webhook notifications. Value must be in range [0, 500] More... | |
bool | AddUserDataInUserSessionsIfEffRestReq [get, set] |
If set, when effective restrictions are asked (through UserLockPowerShell or UserLockAPI), user account data are automatically added in "User sessions" data. More... | |
string | ServerGuid [get] |
Server GUID More... | |
string | DcToContactForServerMember [get, set] |
If configured, the name of the domain controller that will be contacted for updating members of group protected accounts. Otherwise, the first available domain controller will be contacted. More... | |
double | PercentageLicenceNotifications [get, set] |
The percentage above which notifications are sent to warn that the current number of licenses consumed is close to the maximum. Note that emails will only be sent if the following UserLock server properties are configured: E-mail settings for notifications, and UserLock modification notifications. More... | |
int | SaveInterval [get, set] |
int | SessionCheckInterval [get, set] |
The time between two session checks. More... | |
int | AgentDistributionThreads [get, set] |
Number of threads used for UserLock agent distribution data. The default value is 5. Changing this number requires a restart of the UserLock service to be effective. More... | |
bool | DisableInitialAccessPointFeature [get, set] |
If set, the Initial Access Point feature will be disabled. The default value is false. It is read-only from a backup UserLock server. More... | |
bool | DisableGhostSessionCheckingOnAgent [get, set] |
If set to false (which is the default value), the UserLock service remotely checks the sessions of each protected machine (if it finds that the sessions in the "User Sessions" view data are not in the registry of the protected machine, it performs a reset of the affected session), and the desktop agent compares its session data with the Windows session data every minute (if a session of the agent's data is not in the Windows session data, it sends a logoff event for the affected session to the UserLock server). More... | |
bool | ApplyRestrictionsOnUnlock [get, set] |
By default, True. If enabled, all restrictions - including MFA - will be applied when unlocking or reconnecting to a session. It is strongly recommended to keep it activated as it enhances security. More... | |
bool | DenyInteractiveConnectionsIfUserLockInaccessible [get, set] |
By default, False. If set to True, when UserLock service is inaccessible, all interactive sessions will be denied (logons, unlocks, reconnects). This property will soon be deprecated, now use the 'Connections from offline machines' setting available in the 'General' section of the 'Server properties' view. More... | |
bool | SSHLogonWorkaround [get, set] |
By default, False. If set to True, the workaround for SSH connections is enabled. Please note: this setting is not retained if the UserLock service is restarted. More... | |
bool | MFAHelpMeEnabled [get, set] |
If set, the button "Help Me" will be displayed for the MFA. More... | |
String | MFAHelpMeEmailRecipients [get, set] |
List of emails recipients for MFA "Help Me" feature. More... | |
String | MFAHelpMePopupRecipients [get, set] |
List of popups recipients for MFA "Help Me" feature. More... | |
UserLock server properties.
Example: Change the policy on the local server from "Most restrictive" to "Least restrictive"
override void GetInfo | ( | ) |
Refresh all UserLock server properties from the server.
void GetInfo | ( | ServerPropertyList | propertyList | ) |
Refresh selected UserLock server properties from the server. See the enum ServerPropertyList.
override void SetInfo | ( | ) |
Update all UserLock server properties from the local ServerProperties instance to the server.
void SetInfo | ( | ServerPropertyList | propertyList | ) |
Update selected properties from the local ServerProperties instance to the server. See the enum ServerPropertyList.
void ResetGUID | ( | ) |
Reset server GUID.
string GetDatabasePassword | ( | ) |
Get the password of the database.
string GetDatabaseReadonlyPassword | ( | ) |
Get the read-only password of the database.
void BlacklistUser | ( | string | accountName | ) |
Blacklists a user.
accountName | The user name with the syntax (domain name)(SAM account name) |
|
get |
Type of UserLock server. See the ServerMode enum.
|
getset |
Choose between the "Most restrictive" policy (True) and the "Least restrictive" policy (False).
|
getset |
Read/write the localization mask allowing to extract buildings and rooms from workstation names.
|
getset |
Get/set if a wake up order needs to be sent to a computer in sleep mode or powered off when a session on it is blocking an action
|
getset |
The number of days of inactivity after which user accounts without a session will be cleaned up.
|
getset |
Get/Set the days inactive to consider the users as new ones. This variable has to be always less than DaysActivityOver.
|
getset |
Get/Set the days inactive to consider the users as inactives. This variables has to be always less than DaysActivityOver.
List of concurrent session limits for different kind of sessions to consider the users as suspicious if they are over passed. I_NOTCONFIGURED if no limit is set, I_UNLIMITED if unlimited.
|
getset |
Get/Set the concurrent initial access points limit to consider the users as suspicious if it is over passed. I_NOTCONFIGURED if no limit is set, I_UNLIMITED if unlimited.
|
getset |
Get/Set the number of denied logons, by UserLock, during a period to consider the users as suspicious.
|
getset |
Get/Set the period (minutes) counting denied logons to consider the users as suspicious.
|
getset |
Get/Set the number of denied logons, by Windows, during a period to consider the users as suspicious.
|
getset |
Get/Set the period (minutes) counting denied logons to consider the users as suspicious.
|
getset |
Computer that will receive popup notifications when the user changes his status.
|
getset |
List of all popup status notifications that should be sent.
|
getset |
E-mail recipients for E-mail status change notifications.
|
getset |
List of all email status change notifications that should be sent.
|
getset |
Get/set if UserLock should change the status in case of session impersonation
|
getset |
Get/set if UserLock should change the status in case of public and private initial access points at the same time
|
getset |
Get/Set the From address for Logon/Logoff E-mail notifications.
|
getset |
Get/Set the SMTP server address for Logon/Logoff E-mail notifications.
|
getset |
Get/Set the SMTP port for Logon/Logoff E-mail notifications.
|
getset |
Get/set if the UserLock server will use SSL to send E-mail notifications to the SMTP server
Get/set the authentication method used to send E-mail notifications to the SMTP server. See the enum SmtpAuthentication for more information.
|
getset |
Get/set the account used when the property SmtpAuthentication is set to ProvideCredentials
|
getset |
Get/set the password used when the property SmtpAuthentication is set to ProvideCredentials
|
getset |
Get/Set the UserLock license key.
|
get |
Get the UserLock license expiration if the license is temporary.
|
get |
Get the maintenance expiration if the license is permanent.
|
get |
The maximum number of consumable licenses.
Get the status of license.
Use of the license. See the LicenseUseStatus enum for all possible values.
|
get |
Read-only. true if evaluation, false otherwise.
|
get |
Default value false. Read-only. true if subscription, false if perpetual.
|
get |
Default value true. Read-only. true if licensing by users, false otherwise.
|
get |
Default value false. Read-only. true if is license MSP, false otherwise.
|
getset |
Fonction uniquement avec license : IsByUser = true Liste des utilisateurs licenciés
|
getset |
Fonction uniquement avec license : IsByUser = true Liste des utilisateurs licenciés blacklisté
|
getset |
Get/set if logon/logoff events are logged in the UserLock database
|
getset |
Get or set the connection string to the UserLock database
|
set |
Password of the database connection
|
set |
Password of the database connection
|
getset |
Get/set if UserLock use the default MS Access database
|
getset |
Get/set a connection string that will be used to display reports
|
getset |
Get/set if UserLock insert event time in GMT (UTC).
|
getset |
The maximum number of events in the database queue. Default 5120, minimum 1, maximum 100000.
|
getset |
Get/set UserLock administration permissions. See class Permissions
|
getset |
Enable/disable the notifications by email for UserLock configuration modifications.
|
getset |
E-mail recipients for E-mail notifications of UserLock configuration modifications.
|
getset |
Account that will be used to deploy the agent and logoff sessions
|
getset |
Domain of the admin account
|
getset |
Password of the admin account
|
getset |
Get/set if the local console needs to be protected on the server (Standalone terminal server mode).
|
getset |
Get/set if errors should be displayed to the user (Standalone terminal server mode only).
|
getset |
Get/Set if logon refused by Windows are ignored (True) or sent to UserLock (False) (Standalone terminal server mode only).
|
getset |
Get/set if screen saver time is considered as locked time (Standalone terminal server mode only).;
|
getset |
Get/set the join mode if a session already exists on the server for the user (Standalone terminal server mode only). See the enum JoinMode;
|
getset |
Get/set the name of the primary server (Backup server mode only).
|
getset |
Get/set maximum synchronization size (backup server mode only).
|
getset |
Get/set the time interval between each synchronization.
|
get |
Get the date and time the last synchronization occurred.
|
get |
Get the size of the synchronization file.
|
getset |
Get/set if UserLock should automatically logoff sessions for users that have been able to open more sessions than allowed.
Get/set the logon time order for closing sessions exceeding the limit. See the enum ExceedingSessionsOrder.
|
getset |
Get/set if the unused session time regarding time quota are carried over the next period.
|
getset |
Get/set the number of minutes to display the logoff notification message before closing a session in reason of exceeded time quota
|
get |
Get the count of items in the location map file
|
get |
Get the version of the UserLock service.
|
get |
Get the network zone protected by the UserLock service (Primary server mode).
|
getset |
Get/set if UserLock should register an entry in the EventLog when a setting is queried.
|
getset |
Get/set if UserLock should use client time instead of server time to apply time restrictions
|
getset |
By default, False. Get/Set wether simple reporting of user sessions with user names should be allowed (True) or not (False). If True, this report can be accessed via the REPORTMACHINESIMPLE2 UlTerm command and displays user names. If False, the response to the REPORTMACHINESIMPLE2 UlTerm command will be an error message. For this change to be applied in the SysLocator web console, it is necessary to edit the 'ProgramFiles(x86)%\ISDecisions\UserLock\WebPublic\Web.config' file, assigning True to the DisplayUserNames property.
|
getset |
By default, empty. List of computers for which sessions will not be protected and will not be taken into account when protecting other sessions (maximum number of sessions etc.). Caution: this feature may not work as expected for logons without network connection. To avoid such problems, one solution is to use UserLock Anywhere.
|
getset |
The maximum number of running logoff threads.
|
getset |
If set, then the UserLock service will not ping before to communicate with computers.
|
getset |
By default, False. If set to True, the UserLock server will check for conflicts between IP addresses before connecting to protected computers. Therefore, in case of ghost computers in Active Directory, this will prevent from getting MRxSmb or Kerberos warnings in the System Windows log. Note that the best is to remove all ghost computers from Active Directory.
|
getset |
Active Directory search level. 0 or 1: Do not search into the global catalog. 2 or more: Search into the global catalog.
|
getset |
By default, -1 (disabled). If enabled and set to an N number, this setting allows the UserLock service to automatically reset interactive sessions on computers that are not accessible for at least N minutes and have not contacted the service for at least N minutes. If you change it, make sure that all machines protected by UserLock meet the requirements to avoid resetting the sessions by mistake. Keep in mind that setting a low value for this variable can cause problems for sessions opened on an inaccessible machine. This setting is not recommended because it can be considered a security breach because users can disconnect workstations from the network to get the session reset, and then connect elsewhere.
|
getset |
If set, then the UserLock service will remove sessions if user is no longer logged on.
|
getset |
The time interval between each computer check, in milliseconds. The default value is 500 (half a second). 50 can be a good alternative to speed up verification on all computers. A restart of the service is required after changing this value.
|
getset |
The NetBIOS interface level.
|
getset |
By default, True. If set to False, the UserLock server will deploy its NetBios name (instead of its FQDN name) to all computers in the network area that is protected by UserLock. Therefore, all computers in the network area that are protected by UserLock will connect to the UserLock server with the NetBIOS name (if set to False) or with its FQDN name (if set to True).
|
getset |
If set, then the UserLock service will detect deadlocks.
|
getset |
If set, then the UserLock service will ignore database constraint violations.
|
getset |
The number of users per packet used to update user data.
|
getset |
If set, then the UserLock service will resolve accounts using no booster.
|
getset |
Obsolete setting. By default, 1000. Number of milliseconds between each logoff initiated by UserLock. It is not recommend to set that setting to a little value if the network zone protected by UserLock has performance issues. For example, by default, if 600 sessions are to be closed, it will take 10 minutes to initiate all logoffs.
|
getset |
By default, False. As explained at https://www.isdecisions.com/products/userlock/help/protectedsessions/interactive_sessions.htm, only remote sessions targeting server operating systems will be considered as Terminal sessions. In all other Interactive contexts, sessions will be considered as Workstation session. If set to True, all sessions opened remotely will be considered as Terminal sessions, and all sessions opened locally will be considered as Workstation sessions.
|
getset |
By default, True. If set to False, then the UserLock server will try to connect to all computers of the UserLock protected network zone with the NetBIOS name of each computer in place of its FQDN name.
|
getset |
By default, empty. List of computers that are not in the network zone protected by UserLock, but that you want to include in the protection. For each device, add its NetBIOS name. After that, restart the UserLock service.
|
getset |
By default, empty. List of computers that are in the network zone protected by UserLock, but that you want to exclude from the protection. For each device, add its NetBIOS name. After that, restart the UserLock service.
|
getset |
By default, empty. List of computers that are in the network zone protected by UserLock, but that you want to exclude from the Desktop Agent auto-deployment. For each device, add its NetBIOS name. After that, restart the UserLock service.
|
getset |
If set, do compare the current result with the one of the UserLock 7 algorithm. The default value is False. It is read-only from a backup UserLock server. This property will soon be deprecated.
Winform => Attribut Browsable(false) doit etre associé à Obsolete pour que la propriété ne s'affiche pas
|
getset |
The TCP port used by UserLock to listen to macOS agents. The default value is 50555.
|
getset |
If set, when logoff distants sessions is also enabled, send the list of all sessions with descriptions to agents.
|
getset |
URL for webhook notifications. Supports HTTPS & HTTP.
|
getset |
Number of retries for webhook notifications. Value must be in range [0, 500]
|
getset |
If set, when effective restrictions are asked (through UserLockPowerShell or UserLockAPI), user account data are automatically added in "User sessions" data.
|
get |
Server GUID
|
getset |
If configured, the name of the domain controller that will be contacted for updating members of group protected accounts. Otherwise, the first available domain controller will be contacted.
|
getset |
The percentage above which notifications are sent to warn that the current number of licenses consumed is close to the maximum. Note that emails will only be sent if the following UserLock server properties are configured: E-mail settings for notifications, and UserLock modification notifications.
|
getset |
The time between two session checks.
|
getset |
Number of threads used for UserLock agent distribution data. The default value is 5. Changing this number requires a restart of the UserLock service to be effective.
|
getset |
If set, the Initial Access Point feature will be disabled. The default value is false. It is read-only from a backup UserLock server.
|
getset |
If set to false (which is the default value), the UserLock service remotely checks the sessions of each protected machine (if it finds that the sessions in the "User Sessions" view data are not in the registry of the protected machine, it performs a reset of the affected session), and the desktop agent compares its session data with the Windows session data every minute (if a session of the agent's data is not in the Windows session data, it sends a logoff event for the affected session to the UserLock server).
|
getset |
By default, True. If enabled, all restrictions - including MFA - will be applied when unlocking or reconnecting to a session. It is strongly recommended to keep it activated as it enhances security.
|
getset |
By default, False. If set to True, when UserLock service is inaccessible, all interactive sessions will be denied (logons, unlocks, reconnects). This property will soon be deprecated, now use the 'Connections from offline machines' setting available in the 'General' section of the 'Server properties' view.
|
getset |
By default, False. If set to True, the workaround for SSH connections is enabled. Please note: this setting is not retained if the UserLock service is restarted.
|
getset |
If set, the button "Help Me" will be displayed for the MFA.
|
getset |
List of emails recipients for MFA "Help Me" feature.
|
getset |
List of popups recipients for MFA "Help Me" feature.
|
getset |
By default, 100. Delay (in milliseconds) for each SSH internal action.
|
getset |
Revert back to old behaviour concerning ClientIP for workstation sessions.
|
getset |
Action to be taken for interactive connections (logons, unlocks, reconnections) if the UserLock server is inaccessible.
|
getset |
URL to redirect when MFA is required for IIS.
|
getset |
URL to redirect when MFA is required for IIS, on private networks.
|
getset |
Enable security checks for Macs
|
getset |
List of IP addresses to be considered as outside the network (considered as indeterminate). This can be useful for requesting the MFA for RDP sessions through a gateway, in which case you will need to add the gateway's IP address to this list. IPv4 ranges in 'ip/bits' format such as '192.168.1.0/24' are supported. This setting has a lower priority than the 'IpConsideredInside' setting.
|
getset |
Enforce that remote MFA Apps for IIS are not run by users.
|
getset |
Enable (default): Allow users to configure up to two MFA methods. Disable: Allow users to configure only one MFA method. Force: Force users to configure two MFA methods.
|
getset |
Maximum number of out of sync HOTP codes (between UserLock server counter and hardware token counter) accepted. The authorized values for this setting are between 3 and 50 (by default 6).
|
getset |
Some IIS applications cannot support MFA. Each entry in this list should be the path from the root (excluding the first separator) This is case insensitive.
Example: for URL https://server/disablemfa add "disablemfa" to this list.
|
getset |
Enable configuration of recovery codes for MFA. Recovery codes are one time usage codes generated at configuration of MFA.
Disabled by default (false).
|
getset |
When recovery codes for MFA are enabled, the number of codes generated to the end user.
Limited to values between 4 and 20 (including). Default 10.
|
getset |
Enable this setting if your VPN server supports RADIUS challenge for multi-factor authentication. If this option is enabled, no 'MFA failed' event is inserted into the database during the first step of an MFA VPN connection.
|
getset |
Public URL for the UserLock Anywhere application. When configured, this allows the UserLock desktop agent to contact the UserLock service when the machine is outside of the network.
|
getset |
List of IP addresses to be considered as inside the network (considered as private addresses). IPv4 ranges in 'ip/bits' format such as '192.168.1.0/24' are supported. This setting has a higher priority than the 'IpConsideredOutside' setting.
|
getset |
Enable configuration of recovery codes for MFA. Recovery codes are one time usage codes generated at configuration of MFA.
Disabled by default (false).
|
getset |
By default, empty. List of trusted proxies that can forward the real client IP address for IIS sessions
|
getset |
By default, empty. List of computers trusted for agent delegation
|
getset |
The number of minutes the Desktop agent will wait between each request for the list of sessions to interact with. We recommend that you do not configure with less than 10 minutes so as not to increase the workload of UserLock. By default this feature is disabled (-1).
|
getset |
List of emails recipients for notification when the UserLock service detect the time is out of sync.
|
getset |
List of popups recipients for notification when the UserLock service detect the time is out of sync.
|
getset |
Disable MFA for IIS, regardless of effective restrictions.
|
getset |
Disable MFA for VPN, regardless of effective restrictions.
|
getset |
Maximum number of out of sync TOTP codes (between UserLock server time and smartphone or hardware token time; past and future) accepted. The authorized values for this setting are between 0 and 10 (by default 2). As this setting concerns past and future desynchronizations and the TOTP codes are renewed every 30 seconds, the effective number of desynchronized TOTP codes accepted is therefore (2 * (the value of this setting) + 1): the TOTP code of the current time, the TOTP Code for the current time minus AND plus 30 seconds, the TOTP code for the current time minus AND plus 60 seconds, etc.
|
getset |
Disable NTP checks that occurs when an MFA code is invalid for TOTP method. This permit avoiding connecting to the internet and/or having agent freezing when waiting for validation about an invalid code.
|
getset |
If enabled, requires NPS agents to run as one of the computer accounts (LocalService, LocalSystem, or NetworkService) and IIS agents to run as one of the built-in accounts (ApplicationPoolIdentity, LocalService, LocalSystem, or NetworkService).
|
get |
If the push are enabled.
|
getset |
If enabled, allows agents to log in to the UserLock service as the user account that is generating a session event (not recommended).
|
getset |
List of custom App Pool Identities whitelisted.
|
getset |
If enabled, allows unencrypted communications between agents and the UserLock service (not recommended). If the value of this variable is modified, a restart of the service is necessary for this modification to take effect.
|
getset |
Maximum time (in minutes) the agent will wait for MFA, and if Push are enabled, the maximum time agents with poll the service to check for Push validation. Minimum 3, maximum 15, Default 5.
|
getset |
If enabled (disabled by default), resets previous Wi-Fi sessions if a new similar (same user and same client) Wi-Fi logon event occurs.
|
getset |
List of User-Agent or families of User-Agent that will be marked as supporting HTTP redirections properly in order to display MFA on IIS sessions. The UserLock server has an internal list for known browser already.
|
getset |
Force desktop agent to communicate via UserLock AnyWhere.