General server properties
The 'General' server section allows you to define the main options for the UserLock server behavior.
The head items display some information about the current UserLock implementation ('Role', version, 'Protected zone').
UserLock server type
Displays the type of server. It can be 'Primary server', 'Backup server' or 'Standalone terminal server'.
Protected zone
The network zone defined during the 'Configuration wizard'. This is the network perimeter that the UserLock Primary server will be in charge of.
All the machines in this zone will be listed in the agent deployment engine view ('Agent distribution') in the UserLock console.
Service version
The version of UserLock Windows service. The information displayed here will allow our team to know exactly which version has been implemented.
Policy settings
Multiple 'Group protected accounts' can result in conflicts when authorizing a user to logon. For example, a user may belong to group A and group B and try to connect to a computer where group A is allowed to logon and group B is not allowed to. This situation results in a conflict where a policy has to be selected: to be either the most restrictive or the least restrictive as possible. The policy will therefore define whether the user from group A and group B will be allowed to logon or not.
Please note: A user can be a member of several permanent and/or temporary protected accounts (user, group or organizational unit). UserLock determines which rules to apply based on certain priorities. These priorities are described in the section named 'Priority management'.
Sessions
- Logoff disallowed sessions: If this box is checked, a security process is enabled to enforce the UserLock rules - in real time - after a period during which the protection is down- such as during a network issue or a server failure. During this time, UserLock restrictions will not be enforced, but all session events are logged locally. Once the connection has been restored, these event logs are sent to the server, and all UserLock restrictions will be applied to any sessions opened during the incident.
In the same way, when changes are made to the protected account rules – such as a reduction in the number of authorized sessions - the change will take effect immediately. UserLock will force a logoff for any existing sessions that exceeds this new limit.
Please note:- Only interactive sessions (workstation and terminal) will be forced logoff. Wi-Fi/VPN and IIS sessions won't be impacted by this option.
- Implementing a UserLock 'Backup server' allows to UserLock policies to be maintained.
- Wake up computers when needed: If enabled, UserLock will try to wake up computers on which there are sessions that currently block new sessions from logging in, or on which there are disallowed sessions.
- Session logoff order: Define which session(s) will be closed first
if the 'Logoff disallowed sessions' option is enabled. You can choose
to close the oldest session(s) first or the newest.
Please note: The logoff notification will be displayed to users for one minute before their session(s) is (are) closed.
Localization
The localization mask or file allows UserLock
to easily locate each computer (building, room).
- Mask
This option is ideal for academic or large size networks which most often apply a naming convention for their systems. New mask format (version 4.02 and higher, allows you to identify building/room with letters):
e.g.: WKSTA-*-%%-?? * = Building, % = Room, ? = machine number
Computer WKSTA-D-06-20 is in room 6 of building D. - Old mask format (kept for compatibility):
e.g.: XXXXXBBXRRXXX B = Building, R = Room, X = variable
Computer WKSTA-12-06-15 is in room 6 of building 12.
When the mask is specified, you will see the building and room ID for all relevant computers in the 'Agent distribution' view or in the 'User sessions' view (with view by machine enabled). - File
If you don't use any naming convention for your machines, this option allows you to import a 'CSV file' containing the localization of your machines. The file structure needs to have:
- one machine localization by line.
- three fields comprising the line separated by the special character defined for your operating system (usually a comma “,”), in the 'Regional settings/Additional settings'.
- the syntax by line is MachineName,Building,Room.
Example:
Server1,Building1,ServersRoom
Station1,Building1,245A
Station2,Building1,45678B
Station3,Building2,468A
Station4,Building2,468A
Click on the 'Add' button to browse and choose the 'CSV file' built as specified above. UserLock will copy your file into its installation folder. The original file won't be modified or moved.
To reset the localization file, click on the 'Delete' button. This action will delete the file copy which UserLock uses. The original file won't be impacted.
Please note:
- All modification of the localization file (add, replace or delete) may take up to five minutes to be effective. You can restart the UserLock service if you want to apply the localization file immediately.
- The localization mask feature is disabled when a localization file has been added. To enable the mask feature again, just delete the file using the 'Delete' button.
- The localization file can only be added from the UserLock local console of the UserLock server. This option cannot be modified from a remote UserLock console (Windows as Web console).
Quotas
- Carry over unused time count: If this option is enabled, the time not consumed when the quota period has ended is automatically added to the authorized time for the next period.
- Logoff notification timeout: The number of minutes during which the notification will be displayed to users when a quota has been reached. The logoff will be initiated after the number of minutes set except if users choose to launch it. This number of minutes is not deducted from the 'Time quota' limit - if you have set a 'Time quota' of 8 hours a day and a notification timeout of 10 minutes, then the logoff will be initiated after 8 hours and 10 minutes.
Local time
Checking 'Use the agent local time to apply Time restrictions' will take into consideration the time of the user machine instead of the time of the server to verify the time restrictions.
This is useful when the UserLock server is in another time zone to the machine on which the user connects.
Please note: If you enable this option, we suggest you to implement a security policy to deny users the permission to modify the local clock settings and thus prevent them bypassing the time restrictions.