Limit Simultaneous Logons in Active Directory

[screwmesa]

Hi, I have Active Directory set up and am looking for an easy way to keep users from logging into multiple computers at one time. I have found some login scripts online, but they are for NT. I don't want to use the concurrent connection limiter from the 2000 server resource kit because I don't want to deal with setting up an sql database.

We are running Server 2003 with all workstation being 2000 pro.

Help me...please.

 

[Fint]

Without using the Resource Kit method or a third-party program, I don't think AD can do this.

 

[screwmesa]

nevermind, i got it figured out...if anyone else has this problem, make the user's home folder a share (it can be hidden if you want it to be) and make the user limit 1. Then add this to their logon script:

net use T: /delete
net use T: \\<Servername>\<sharename>
if exist T: goto end
if not exist T: goto logout
:logout
echo Y | logoff.exe
:end

Grab logoff.exe from the windows 2000 server resource kit and place it in the sysvol folder where the logon script is located.

Hope this saves someone some trouble.

 

[pigster]

http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exe

LimitLogin is an application that adds the ability to limit concurrent user logins in an Active Directory domain. It can also keep track of all logins information in Active Directory domains.

LimitLogin capabilities include:

· Limiting the number of logins per user from any machine in the domain, including Terminal Server sessions.

· Displaying the logins information of any user in the domain according to a specific criterion (e.g. all the logged-on sessions to a specific client machine or Domain Controller, or all the machines a certain user is currently logged on to).

· Easy management and configuration by integrating to the Active Directory MMC snap-ins.

· Ability to delete and log off user session remotely straight from the Active Directory Users and Computers MMC snap-in.

· Generating Login information reports in CSV (Excel) and XML formats.

LimitLogin grants System Administrators, Help Desk staff or any other IT-related personnel the ability to quickly query for any user logged on to the domain and view the machines they’re currently logged on to, while enabling the above list of features and management tasks to be performed on those user sessions.

 

[screwmesa]

Cool, thanks....playing with that right now. Seems better than a batch file.

 

[screwmesa]

wow does that program ever suck a whole lot of balls...they were after a good idea, but they took a whole different shitty direction. no thanks, if i was gonna go that route, i'd break down and thow a grand down for userlock.

 

[SJConsultant]

Can you elaborate on why it "sucks" ?

 

[screwmesa]

there's too much room for loopholes, and no support for tracking logons from the past.

 

[versello]

there's too much room for loopholes, and no support for tracking logons from the past.

Um...that's because you can track logons from a domain controller's event viewer if it's set up to audit account logon events.

 

[GreNME]

The other thing that sucks is that it's trying to do with a whole program what can be done with a simple script. That is wasteful of resources on a server (and/or workstation) that could be better used elsewhere.

Hey, screwmesa, you might want to take that little script, find some others who have similar little logon scripts, and create a thread covering a bunch of quick and easy DIY logon script things for people in an AD environment. Good on you for keeping at it until finding a solution.

 

[danimal]

Can't you do it with Group Policies? I am sure I remmeber seeing an option for it.

 

[screwmesa]

I can't find anything for it in Group Policy, first place I checked hoping Server 2003 would have integrated this feature...but alas, here I am. I've got all summer to get this working and set up 200 workstations on the domain. I work for a school and we have just recently started working with active directory. I haven't had any problems thus far, just little bumps in the road like this.

I know Group Policy allows for logons via SmartCards, but we didn't have the funds/time to go that route. IBM was looking into biometric scanners for us to, but again turned up a bust.