Re: Preventing multiple logins in 2003

From: Martin Mewes (mm_at_mewes.tv)
Date: 01/28/05

  • Next message: Laura A. Robinson: "RE: RESPONSE: Users "bypassing" Group Policy restrictions" 
    To: focus-ms@securityfocus.com
Date: Fri, 28 Jan 2005 08:14:03 +0100

    Hi Ian,

    Ian Turnbull <ian.turnbull@mpsgi.com> wrote :

    > It has been noted that some of our user base are allowing other
    > members of staff to login using their user account. We are currently
    > in the process of moving to a fully functional 2003 domain and I
    > would like to disable concurrent logons via group policy. Any
    > suggestions?

    We had the same problem here and did not come to any conclusions.
    For now we have written a little logon script which writes a lock into
    the $home of the user like this ...

    :test
    if not exist \\path\logged.in goto login
    logout.exe

    :login
    echo lock > \\path\logged.in
    ...

    ... together with a logout script which deletes the lock. Anyway from
    time to time we run into trouble if a users machine has a blue screen
    or something so tha admin has to delete the lock manually.

    We thought about locking the user to a collection of single machine
    (which is possible since NT4) but not sure if this really helps.

    bis dahin/kind regards
       
    Martin Mewes
        

    -- 
The e-mail server is unable to verify your server connection and
is unable to deliver this message. Please restart your computer and
try sending again.  (The beauty of it is that when I return, I can
see how many in-duh-viduals did this over and over)  
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Laura A. Robinson: "RE: RESPONSE: Users "bypassing" Group Policy restrictions"

    Relevant Pages

    • Re: locking out sshd break in attempts?
      ... In January of this year I asked about ways to lock out sshd break ins. ... It appears that the connection attempt counter is incremented BEFORE the hitcount rule is encountered, so if it is set to 2 it sees 1 and is happy to go on, but if it is set to 1, it sees 1, and locks out even the first connection attempt. ... Since usually local machines are allowed to login as frequently as desired, there is a rule that provides for that before the rule that blocks the restricts ... EPHEMERAL_PORTS=1024:65535 #Unprivileged port range ...
      (comp.unix.programmer)
    • Re: bad logon attempts against the Unlock dialog box dont count
      ... login as administrator and start Active Directory Wizard. ... 10.- So, now, we have our domain controler locked, but we have the administrator username and password, so we unlock the computer and we login as the administrator (our "secondadmin" user is still locked). ... 14.- We are logged in, so, we lock the computer. ...
      (microsoft.public.win2000.security)
    • Failed Login to Only Spit Out message after 3 Failed Tries
      ... To amend a SOXIT deficiency I wrote a script to lock out the user if ... they failed 3 login attempts. ... So the script I wrote scanned the /var/adm/messages file and filtered ... for he date and the pattern "Failed Password". ...
      (comp.security.ssh)
    • LOGIN INFO secure at wwww.americanexpress.CA?
      ... secure page which causes the lock symbol to be displayed in the status ... That is the difference which caused the login page ... even though the page itself is not https. ... of a lock in the login region. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • RE: Preventing multiple logins in 2003
      ... Which is a login script using PsShutdown.exe and PsLoggedOn.exe from ... For now we have written a little logon script which writes a lock into the ... time we run into trouble if a users machine has a blue screen or something so ...
      (Focus-Microsoft)