Restrict Multiple logon in Active directory Domain

[Guest]

Hi all,

Iam having a network on Windows server 2003 Active directory Domain.
By Default Active directory allows single user to logon to multiple
computers simultaneously.
for example one user USER A can logon to COMPUTER A and simultaneously he
can Logon to COMPUTER B also without loggingoff from COMPUTER A.

Now for some reasons I want to restrict the Domain Users to logon to
multiple computers simultaneously, without restricting them to logon to some
particular systems only.measn I want to set them free to logon to any
computer in domain but restrict their logon session in domain to only once
till they logout.


Thanx in advance.

Regards
Nitesh

 

[Paul Bergson]

Currently this is the only solution I am aware of.

http://www.microsoft.com/technet/technetmag/issues/2005/05/UtilitySpotlight/default.aspx

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Brandon McCombs]

Hi all,

Iam having a network on Windows server 2003 Active directory Domain.
By Default Active directory allows single user to logon to multiple
computers simultaneously.
for example one user USER A can logon to COMPUTER A and simultaneously he
can Logon to COMPUTER B also without loggingoff from COMPUTER A.

Now for some reasons I want to restrict the Domain Users to logon to
multiple computers simultaneously, without restricting them to logon to some
particular systems only.measn I want to set them free to logon to any
computer in domain but restrict their logon session in domain to only once
till they logout.

Thanx in advance.

Regards
Nitesh

At work I was required to do this in order to meet Security requirements of the
government. I created 2 scripts (one is executed in a GPO at login, the other
in a GPO at logoff). I created a new attribute in the ADS schema and added it
to the user object class. The attribute is a single valued case-insensitive
string that keeps track of the hostname of the machine that the user has logged
in to. When the user logs in the hostname of the machine is put into the
attribute of the user object. If the user logs in somewhere else the hostname of
*that* machine is grabbed and compared to the hostname stored. If they do not
match then the script uses WMI to force the user to be logged off. If they do
match the script assumes that something bad happened before (improper shutdown)
that caused the logoff script to not blank out the attribute and so it lets the
user in. By setting the GPO option of running scripts synchronously you can set
it up so that the script pops up a VBS window letting the user kno what happened
and during this time the Desktop won't load until the script finishes.
Unfortunately for the user as soon as the OK button on their popup window is
clicked the last thing in the script is to log them off, so the user never has a
chance to actually see his/her Desktop due to it not loading until the script
was finished. This has worked out very nicely for the system I implemented this
on. Incidentally the log off script has the intelligence to not totally blank
out the attribute when logging the usre out of their 2nd session; it still keeps
the original hostname so that a 3rd attempt at a login would fail as well.

This may not have the flexibility of LimitLogin but if you only want the users
to login once for any machine in the domain then it will work fine. I'm sure
you could modify the attribute to be multi valued and parse each hostname that
is stored in order to keep track of however many logins you would want per user
although it still wouldn't let you have varying login counts per user (not sure
of the usefulness of that anyway; the admins at work are the only ones who are
allowed to login more than once and even they are at least alerted to their
other logins with the same script).

hope this helps
brandon

 

[Jorge_de_Almeida_Pinto]

Hi all,

Iam having a network on Windows server 2003 Active directory
Domain.
By Default Active directory allows single user to logon to
multiple
computers simultaneously.
for example one user USER A can logon to COMPUTER A and
simultaneously he
can Logon to COMPUTER B also without loggingoff from COMPUTER
A.

Now for some reasons I want to restrict the Domain Users to
logon to
multiple computers simultaneously, without restricting them to
logon to some
particular systems only.measn I want to set them free to logon
to any
computer in domain but restrict their logon session in domain
to only once
till they logout.


Thanx in advance.

Regards
Nitesh

Check out LimitLogon from MS. It only works in a W2K3 AD as it needs a
separate app partition for its data. It also extends the schema and as
the Resource Kit tools it is not supported by MS

For more info see:
http://www.thincomputing.net/newsitem296.html
http://bink.nu/files/limitlogonfaq.htm
http://www.petri.co.il/forums/showthread.php?t=2511

 

[Cary Shultz [A.D. MVP]]

Nitesh,

In a WIN2000 environment you might look at CConnect. Not sure if this would
work in a WIN2003 environment. Can not see why it would not but I have not
worked with WIN2003 too much.

Also, I believe that Jerold has a couple of ways to accomplish this. Please
take a look at his website ( http://www.jsiinc.com ) for the details.

--
Cary W. Shultz
Roanoke, VA 24012

WIN2000 Active Directory MVP
http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)

 

[sayied anwer-007]

restrict the logon hours of certain users or groups, i have more than 1000 users in our organization, i have 3 groups and add different groups to different user's, now i would like to set restrict the logon hours for these 3 groups users, can any one help me


regards
DON sayied anwer