The business problem

System security is a critical problem issue for most companies. Windows NT/2000 security is mainly based on a login (i.e. a user name and a password). These two elements are required to enter the system and check the user's rights.

Users often do not logoff from their workstations or simply choose simple passwords that some colleagues may guess easily. There are even users who simply give their passwords to some of their friends.

Such users' behaviors cannot ensure an efficient security environment for your enterprise. The most difficult part of applying an effective and efficient security policy is to enforce the users to have good security habits.

These problems can result in users reading e-mails they should not, sending e-mails on behalf of someone else, access files they should not access (e.g. accounting files, system files...). Administrators should be aware that hacking or piracy is most of the time made from within the company rather than from the internet or extranet of the enterprise where firewalls are now more and more efficient.

Technology Architecture

Windows NT/2000 security system is fully extensible to support extensions such as smart cards, Novell support, or Unix synchronization password systems. UserLock 2000 is a unique authentication system based on a customized GINA (i.e.: Graphical Identification and Authentication).

This GINA simply ensures UserLock is allowing a logon to occur and notifies the UserLock server of logoffs. It is compatible with other GINA extensions by forwarding all GINA procedure calls to any existing GINA extension. This security enhancement (also called the UserLock agent) should be installed on every protected workstation. The deployment of the customized GINA may be done using the Agent Deployer of the UserLock primary server which is constantly looking for GINA installation status and installing them if necessary without needing any user intervention.

UserLock agents locate the primary server by making a network broadcast based on a mail slot message. If the domain is spread onto multiple domains, UserLock relay servers should then be installed on each sub-net except on the one where the UserLock primary server is installed so they can answer the broadcast message by forwarding authentication queries to the UserLock primary server.

UserLock servers are administrated using the Microsoft Management Console and run as standard Windows NT/2000 services. Notifications of logon and logoffs can be set up using Popup messages or e-mail using Windows Sockets (i.e.: SMTP is required but not MAPI).

Supported Platforms

UserLock 2000 server works on Windows NT 4 Server or Windows 2000 Server. The agent can be deployed on Windows NT 4 and Windows 2000


Download UserLock

Free Product Download

Download (NT)
Download (W2K)


Technology Presentation


Executive Summary
Release Notes
Userlock Evaluation Guide

PowerPoint Presentations

UserLock Overview


UserLock for Windows 2000
UserLock for Windows NT


Review in MCP Magazine

2002-2005 Engagent