# User tree



# User tree

In the SafeUTM management interface, users are displayed as a tree.

---

Users can be organized into trees. The group nesting level is not limited.  
The user account tree is available in **Users -> User & Group**.

SafeUTM implements the principle of inheritance, which makes it easy to set and change parameters common for users, defining them for the parent group, for example, quotas or remote VPN access. The principle of inheritance is very convenient for performing management operations related to all users in the group.

An example of a user tree can be seen below:  
[![1. User tree.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/GDPTiGjjUEIgnw4i-1-user-tree.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/GDPTiGjjUEIgnw4i-1-user-tree.png)

The user’s icon can be colored differently. The table below provides a description of each color of the user’s icon:

<div class="pointer-container" id="bkmrk-%C2%A0"><div class="pointer anim is-page-editable"><svg class="svg-icon" data-icon="link" role="presentation" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"></svg><div class="input-group inline block"> <button class="button outline icon" data-clipboard-target="#pointer-url" title="Copy Link" type="button"><svg class="svg-icon" data-icon="copy" role="presentation" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"></svg></button></div><svg class="svg-icon" data-icon="edit" role="presentation" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"></svg></div></div><table id="bkmrk-user-account-status-" style="height: 237px; width: 105.432%;"><tbody><tr><td style="width: 18.9122%;" width="312">**User Account Status**

</td><td style="width: 81.0878%;" width="312">**Description**

</td></tr><tr><td style="width: 18.9122%;" width="312">[![2. User tree.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/d56P0mpNMPVj6QLl-2-user-tree.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/d56P0mpNMPVj6QLl-2-user-tree.png)

</td><td style="width: 81.0878%;" width="312">The user has completed the authorization procedure and has been granted internet access.

</td></tr><tr><td style="width: 18.9122%;" width="312">[![3. User tree.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/pZOamG9xaWeQyB6h-3-user-tree.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/pZOamG9xaWeQyB6h-3-user-tree.png)

</td><td style="width: 81.0878%;" width="312">Authorization restriction has been set in the [**User Settings**](https://docs.safedns.com/books/42-setup-users/page/configuring-users).

</td></tr><tr><td style="width: 18.9122%;" width="312"><span style="background-color: #e03e2d;">[![4. User tree.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/0L2I5ioKf4UcAmF7-4-user-tree.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/0L2I5ioKf4UcAmF7-4-user-tree.png)</span>

</td><td style="width: 81.0878%;" width="312">The user has not completed the authorization procedure and has not been granted internet access.

</td></tr></tbody></table>

# User & Group

Creating, deleting, and moving user accounts.

---

#### General

To manage groups and accounts in the user tree, there are corresponding buttons on each group:

<table id="bkmrk-%C2%A0symbol-%C2%A0description" style="width: 111.111%; height: 152.922px;"><tbody><tr style="height: 35.3906px;"><td style="width: 23.869%; height: 35.3906px;" width="198">**Symbol**

</td><td style="width: 76.131%; height: 35.3906px;" width="387">**Description**

</td></tr><tr style="height: 35.3906px;"><td style="width: 23.869%; height: 35.3906px;" width="198">[![1. User Management.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/YAq39FQWhGYv3O9i-1-user-management.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/YAq39FQWhGYv3O9i-1-user-management.png)

</td><td style="width: 76.131%; height: 35.3906px;" width="387">Create user account

</td></tr><tr><td style="width: 23.869%;">[![2. User Management.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/K4pymhc1B8JwLDdK-2-user-management.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/K4pymhc1B8JwLDdK-2-user-management.png)

</td><td style="width: 76.131%;">Create group

</td></tr><tr style="height: 24.3906px;"><td style="width: 23.869%; height: 24.3906px;" width="198">[![3. User Management.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/VcIEe1oXa8mxAWwy-3-user-management.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/VcIEe1oXa8mxAWwy-3-user-management.png)

</td><td style="width: 76.131%; height: 24.3906px;" width="387">Delete user account or group

</td></tr></tbody></table>

---

#### Creating User Account

To create an account in a certain group, click Create User Account in it. The control element symbols are illustrated in the table above.

The second way to create a user in a group is to select the designated group and click **Create User** in the right part of the window in the **General** tab.  
[![4. User Management.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/pX1I2obUDPzEsjp4-4-user-management.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/pX1I2obUDPzEsjp4-4-user-management.png)

Next, you will see a window for creating a user account, where you need to define a number of parameters. The form for creating a user account is shown below.  
[![5. User Management.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/iyc86CS2Bsjw4pRs-5-user-management.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/iyc86CS2Bsjw4pRs-5-user-management.png)

<p class="callout success">**Login** must be entered in lowercase Latin characters, for example, j.smith</p>

<p class="callout success">Recommendations for creating password complexity: minimum length - 10 characters; use of lowercase and uppercase Latin characters; use of numbers and special characters. You can generate a password.</p>

<p class="callout success">When you fill in the **Additional settings**, a corresponding rule will be created in the user card in the **IP and MAC authorization** tab and in the **Authorization -&gt; IP and MAC authorization** section.  
If this IP address or MAC address is used in DHCP server rules, then the **[DHCP server](https://docs.safedns.com/books/45-setup-services/page/dhcp-server)** rule will be in priority.</p>

For accounts imported from MS Active Directory (AD), password verification is carried out by means of AD. Active Directory user authorization is configured in the corresponding [**section**](https://docs.safedns.com/books/42-setup-users/page/active-directory-user-authorization).

You cannot create a user in the Active Directory group from SafeUTM. If you need to add an additional user to the Active Directory group, you must do so in the user tree on the domain controller.

<p class="callout warning">It is impossible to view or restore the account password, only changing is allowed.</p>

After you have entered all required parameters, click **Save**. An account will be created that will automatically get all the values of some parameters of the group in which it was created.

---

<details id="bkmrk-creating-group-to-cr"><summary>Creating Group</summary>

To create a group, you need to click on the corresponding control symbol to the right of the group name (you can create both a tree root group and a child group).

A window will open, in which you will need to type in the name of the new group and click **Save**. An example of adding a group can be seen below:  
[![6. User Management.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/ryQDCUKCkHc51ECJ-6-user-management.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/ryQDCUKCkHc51ECJ-6-user-management.png)

</details>---

<details id="bkmrk-mass-creation-of-use"><summary>Mass Creation of Users with Authorization by IP</summary>

Mass creation of users for authorization by IP is possible. You can find out more in the [**article**](https://docs.safedns.com/books/42-setup-users/page/authorization-by-ip-address) about this kind of authorization.

Alternatively, you can use [**Netscan**](https://docs.safedns.com/books/42-setup-users/page/netscan) to create them automatically when you try to access the internet.

</details>---

<details id="bkmrk-deleting-group-or-us"><summary>Deleting Group or User Account</summary>

To delete a user account, select the user and click on the corresponding symbol. You can also select the user and click **Delete** in the **General** tab.  
[![7. User Management.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/XkgyHkM3lNZkrTyM-7-user-management.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/XkgyHkM3lNZkrTyM-7-user-management.png)

Deleting a group is done the same way.

</details>---

<details id="bkmrk-moving-user-account-"><summary>Moving User Account or Group</summary>

To move a user account to another group, select this user in the **General** tab and find **Found in a group** field. From the drop-down list, select the group to move the user into and click **Save**.  
[![8. User Management.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/nyqtcS8sYAKXrNtA-8-user-management.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/nyqtcS8sYAKXrNtA-8-user-management.png)

</details>

# Configuring Users

Configuring user account settings.

---

#### Categories

Users are configured in **Users -&gt; User &amp; Group**. To determine/edit the user account settings, select the account in the user tree by left-clicking on it. The parameters of the selected account will appear on the right side of the screen. All configurable parameters are divided into categories: **General**, **Quota**, **IP and MAC authorization**, and **Sessions**. If you want to change the parameters of all users in the group, select the corresponding group in the user tree.

---

##### General category

The section of main settings includes many parameters determining the user account status.  
The basic parameters are:

- **Username**. The name of the user for whom the account is being created, for example, John Smith. Maximum 128 characters.
- **Login**. The login is used to complete the authorization procedure in various SafeUTM services. The login must contain Latin lowercase letters, for example, j.smith. Maximum 32 characters.
- **Found in a group**. The group the user belongs to. You can use this field to move the user to another existing group.
- **Deny access**. Prohibit the user from being authenticated in the SafeUTM gateway. It means the user cannot use the internet, send an email, or access a personal account.
- **Allow remote access via VPN**. Allow connecting to the SafeUTM server via VPN from the internet.  
    [![1. Configuring Users.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/Ze1rGjERsalU80H9-1-configuring-users.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/Ze1rGjERsalU80H9-1-configuring-users.png)

For users exported from [**Active Directory**](https://docs.safedns.com/books/42-setup-users/page/integration-with-active-directory), there is a corresponding line above the user settings. For such users, it is impossible to edit the name, login, or move them to another group in the **General** tab.

---

##### Quota category

This section allows you to view and increase the user quota in case of using traffic limits.  
[![3. Configuring Users.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/WxysjKlbZrRV2E3o-3-configuring-users.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/WxysjKlbZrRV2E3o-3-configuring-users.png)

To increase the quota, use the **Increase traffic for the current period** field.  
**Example:** A user is assigned a quota of 1000 MB for a week (Monday to Sunday). By Thursday, the amount of traffic exceeded the value set by the quota. It is required to provide the user with additional traffic once.  
To do this, enter the required value in the **Increase traffic for the current period** field and click **Increase**. The **Remaining** line will reflect all available traffic, taking into account the added one.

<p class="callout info">You can find the information about how to set up traffic quotas in the [**User Quotas**](https://docs.safedns.com/link/72#bkmrk-setting-up-user-and-) section.</p>

---

##### IP and MAC Authorization category

This category contains authorization rules by IP and MAC created for a specific user in two sections:

- Users -&gt; User &amp; Group -&gt; IP and MAC authorization [![4. Configuring Users.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/cwZqCgl3wiXfYQTx-4-configuring-users.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/cwZqCgl3wiXfYQTx-4-configuring-users.png)
- Users -&gt; [**Authorization** ](https://docs.safedns.com/books/42-setup-users/page/user-authorization)-&gt; [**IP and MAC authorization**](https://docs.safedns.com/books/42-setup-users/page/authorization-by-ip-and-mac-address)[![5. Configuring Users.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/OFQ7FbgGwlR14rSt-5-configuring-users.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/OFQ7FbgGwlR14rSt-5-configuring-users.png)

<p class="callout info">The **IP and MAC authorization** rules also create a similar binding in the SafeUTM [**DHCP server**](https://docs.safedns.com/books/45-setup-services/page/dhcp-server). But if the same IP and MAC addresses are used in enabled DHCP server rules, then the DHCP server rules will be executed first.</p>

---

##### Sessions category

Contains a table with information about all active user sessions:  
[![6. Configuring Users.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/V1ipEba0PDvB06gB-6-configuring-users.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/V1ipEba0PDvB06gB-6-configuring-users.png)When you click on "X" in the **Operations** column, UTM will terminate the user's session.  
A similar table is located in the **Monitoring** -&gt; [**Authorized users**](https://docs.safedns.com/books/43-setup-monitoring/page/authorized-users-and-vpn-users) section.

# Terminal Server Users

Used for remote work with the provision of a separate desktop for each user. Provides a service for the work of dozens and even hundreds of users.

---

#### Terminal Server Authorization

If the admin does not need the separate authorization of terminal server users, and the same access settings (content filtering and user firewall) can be applied to them, the server can be authenticated as a single user.

The best option is [**authorization by IP address**](https://docs.safedns.com/books/42-setup-users/page/authorization-by-ip-address).

Please note that when the number of users on the terminal server is large, it may be necessary to [**increase the number of simultaneous sessions**](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/troubleshoot/remote-desktop-service-currently-busy#check-the-connection-limit-policy) from one address in advanced security settings.

---

#### Authorization of Terminal Server Users

**Separate authorization of terminal server users** (running under Windows Server 2008 R2 and Windows Server 2012 OS) is possible using [**SSO (NTLM)**](https://docs.safedns.com/link/50#bkmrk-web-authorization-%28s). In such a case server authorization by IP is not necessary.

For separate authorization of terminal server users, [**Remote Desktop IP Virtualization**](https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remote-desktop-ip-virtualization) must be configured on the terminal server, and user authorization via web authorization (SSO or NTLM) must be configured on the SafeUTM server. Authorization of terminal server users based on logs of the AD domain controller has not yet been implemented.

---

<details id="bkmrk-configuring-remote-d"><summary>Configuring Remote Desktop IP Virtualization on Windows Server 2012</summary>

For the [**Remote Desktop IP Virtualization**](https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remote-desktop-ip-virtualization) to work on one of Windows servers, the role of a DHCP server must be added (this function may not work correctly with other DHCP servers) and an IP address area for terminal server users must be allocated.

In **Group Policy Management Editor,** you need to navigate to **Computer Configuration –&gt; Administrative Templates –&gt;Windows Components -&gt; Remote Desktop Services –&gt; Remote Desktop Session Host –&gt; App Compatibility**.

Enable the option **Turn on Remote Desktop IP Virtualization** in group policy with the option **Per Sessions**:  
[![1. Terminal Server Users.png](https://docs.safedns.com/uploads/images/gallery/2022-08/scaled-1680-/Ic36pAPOpzJ9sVNI-1-terminal-server-users.png)](https://docs.safedns.com/uploads/images/gallery/2022-08/Ic36pAPOpzJ9sVNI-1-terminal-server-users.png)

It is also recommended to enable the option **Do not use the IP address of the remote desktop session host server if the virtual IP address is unavailable**.

Use command `gpupdate /force` to update all policies.

You can check that the settings have changed using the following command in PowerShell:

`Get-WmiObject -Namespace root\cimv2\TerminalServices -query "select * from Win32_TSVirtualIP"`

Where values must be: `VirtualIPActive = 1` (virtualization on) and `VirtualIPMode=0` (for a session).

</details>