Get a Handle on Logons
Thwart lockouts with UserLock v2.2.
Every month I get several calls from users saying their accounts are
locked. It seems that no matter how many times the help desk resets their
passwords, their accounts continue to get locked out after a few minutes.
My response is always the same. “Looks like you changed your password
and you’re logged on somewhere else with the old password. Where did you
last log on?”
This is frustrating to troubleshoot, because it means you have to comb
the event logs looking for entries indicating locked accounts. You can
prevent this by limiting users to a single logon, which can be accomplished
by only allowing users to log on to a single machine based on its NetBIOS
name. Unfortunately, this doesn’t work for users who share machines. Also,
this is set at the user level, which is difficult to administer. IS Decisions’
UserLock v2.2 solves this problem by allowing you to restrict users to
a predefined number of simultaneous logons, without applying restrictions
at the user level.
UserLock tracks domain users’ logon activity, and all records are saved
to a central CSV file for easy archiving. The UserLock MMC (see screenshot)
allows you to see, in real-time, where your users are logged in. You can
right-click on a user to reset the counter, which is handy for when you
want to let a user log in one more time without permanently changing his
or her settings. UserLock controls simultaneous logons for individual
users or groups of users; controlling logons at the group level makes
administration a breeze. You can also restrict the machines to which users
can log on, based on computer names or IP address ranges. UserLock can
be configured to send e-mail alerts when users attempt to exceed their
limit or log on to unauthorized machines.
UserLock is easy get up and running in a hurry. Manually install the
software on a domain controller and use the UserLock MMC to automatically
deploy the agent to all workstations (running NT 4.0 or higher) in your
domain. Installing the agent does require a reboot, but you can have UserLock
force the reboot after install. When forcing a reboot, you can configure
the message sent to the workstations being rebooted, as well as the time
left before the reboot occurs (the default is 60 seconds). UserLock supports
Windows 9x/Me/NT 4.0/2000/XP, and it uses its service account to deploy
the agent. The service account must have local administrative rights and
be able to access the registry and the admin$ share of the client workstations
remotely. Your network must support NetBIOS name resolution and broadcasts.
If broadcasts aren’t supported on your routers, you have to put a UserLock
relay agent on each subnet. The relay agent routes the broadcast to the
UserLock primary server.
|Deploy the agent easily via the UserLock MMC. (Click
image to view larger version.)
I was impressed with how easy UserLock was to get working. From start
to finish, I had 10 machines set up in less than 15 minutes. The software
is very intuitive—after using it for a few minutes, I was quite comfortable
with it. I recommend UserLock for anyone who wants a better handle on
where and how many times his or her users are logging on. At a few dollars
per machine, UserLock is definitely worth the investment.
Chad Todd, MCSE, MCT, CNE, is the author of Hack Proofing Windows 2000 Server by Syngress Publishing. He is the co-owner of Training Concepts, which specializes in Windows 2000 and Cisco training.