Restrict Multiple logon in Active directory Domain

Discussion in 'Microsoft Windows 2000 Active Directory' started by Guest, Sep 29, 2005.

  1. Guest

    Guest Guest

    Hi all,

    Iam having a network on Windows server 2003 Active directory Domain.
    By Default Active directory allows single user to logon to multiple
    computers simultaneously.
    for example one user USER A can logon to COMPUTER A and simultaneously he
    can Logon to COMPUTER B also without loggingoff from COMPUTER A.

    Now for some reasons I want to restrict the Domain Users to logon to
    multiple computers simultaneously, without restricting them to logon to some
    particular systems only.measn I want to set them free to logon to any
    computer in domain but restrict their logon session in domain to only once
    till they logout.


    Thanx in advance.

    Regards
    Nitesh
     
    Guest, Sep 29, 2005
    #1
    1. Advertisements

  2. Guest

    Paul Bergson Guest

    Paul Bergson, Sep 29, 2005
    #2
    1. Advertisements

  3. At work I was required to do this in order to meet Security requirements of the
    government. I created 2 scripts (one is executed in a GPO at login, the other
    in a GPO at logoff). I created a new attribute in the ADS schema and added it
    to the user object class. The attribute is a single valued case-insensitive
    string that keeps track of the hostname of the machine that the user has logged
    in to. When the user logs in the hostname of the machine is put into the
    attribute of the user object. If the user logs in somewhere else the hostname of
    *that* machine is grabbed and compared to the hostname stored. If they do not
    match then the script uses WMI to force the user to be logged off. If they do
    match the script assumes that something bad happened before (improper shutdown)
    that caused the logoff script to not blank out the attribute and so it lets the
    user in. By setting the GPO option of running scripts synchronously you can set
    it up so that the script pops up a VBS window letting the user kno what happened
    and during this time the Desktop won't load until the script finishes.
    Unfortunately for the user as soon as the OK button on their popup window is
    clicked the last thing in the script is to log them off, so the user never has a
    chance to actually see his/her Desktop due to it not loading until the script
    was finished. This has worked out very nicely for the system I implemented this
    on. Incidentally the log off script has the intelligence to not totally blank
    out the attribute when logging the usre out of their 2nd session; it still keeps
    the original hostname so that a 3rd attempt at a login would fail as well.

    This may not have the flexibility of LimitLogin but if you only want the users
    to login once for any machine in the domain then it will work fine. I'm sure
    you could modify the attribute to be multi valued and parse each hostname that
    is stored in order to keep track of however many logins you would want per user
    although it still wouldn't let you have varying login counts per user (not sure
    of the usefulness of that anyway; the admins at work are the only ones who are
    allowed to login more than once and even they are at least alerted to their
    other logins with the same script).

    hope this helps
    brandon
     
    Brandon McCombs, Sep 30, 2005
    #3
  4. Check out LimitLogon from MS. It only works in a W2K3 AD as it needs a
    separate app partition for its data. It also extends the schema and as
    the Resource Kit tools it is not supported by MS

    For more info see:
    http://www.thincomputing.net/newsitem296.html
    http://bink.nu/files/limitlogonfaq.htm
    http://www.petri.co.il/forums/showthread.php?t=2511
     
    Jorge_de_Almeida_Pinto, Sep 30, 2005
    #4
  5. Nitesh,

    In a WIN2000 environment you might look at CConnect. Not sure if this would
    work in a WIN2003 environment. Can not see why it would not but I have not
    worked with WIN2003 too much.

    Also, I believe that Jerold has a couple of ways to accomplish this. Please
    take a look at his website ( http://www.jsiinc.com ) for the details.

    --
    Cary W. Shultz
    Roanoke, VA 24012

    WIN2000 Active Directory MVP
    http://www.activedirectory-win2000.com
    (soon to be updated!!!)
    http://www.grouppolicy-win2000.com
    (soon to be updated!!!)
     
    Cary Shultz [A.D. MVP], Oct 6, 2005
    #5
  6. Guest

    sayied anwer-007

    Joined:
    Feb 21, 2011
    Likes Received:
    0
    restrict the logon hours of certain users or groups, i have more than 1000 users in our organization, i have 3 groups and add different groups to different user's, now i would like to set restrict the logon hours for these 3 groups users, can any one help me


    regards
    DON sayied anwer
     
    sayied anwer-007, Feb 21, 2011
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.