Re: NT4 Disallow multiple logins

From: John McGaw (avoid_spam@bellsouth.net)
Date: 07/01/02 

From: "John McGaw" <avoid_spam@bellsouth.net>
Date: Mon, 1 Jul 2002 07:28:01 -0400

"ObiWan" <anzenNO-SPAM@gmx.net> wrote in message
news:uVtT8GYACHA.1916@tkmsftngp04...
>
> > I have an NT4 Server running 98SE W/stations. The problem
> > I have is disallowing users sharing their usernames and
> > passwords. (I can't sack them for this because I work in a
> > school and my client base comprises primarily of Students.)
> > Is there a way of only allowing a username and password to
> > be in use on my network once at a time? I've been through
> > the User Manager and can't find it in there so I am
> > assuming I will have to write something in the Login
> > scipts. If I can avoid doing this it would be preferable
> > to me.
>
> I'll assume that you created an NT domain and
> that the Win98 machines are accessing that
> domain; in this case:
>
> open the user manager and from the menu
> select "criteria" and "account", next specify
> the needed password criteria; that is the
> max age, the min length and so on; be sure
> to tick the box to "remember 'n' passwords"
> so that your user will be forced to use a
> different password each time and not to
> reuse the older ones, confirm.
>
> Now select a user from the user list and
> double click on it, be sure that the password
> expiry option is unselected (password *must*
> expire) and allow the user to change the
> password; as an additional measure you could
> specify access times and logon machines this
> will allow the logon *only* in the defined time
> period and *only* from the defined machines,
> this will avoid that students could logon outside
> the school time and/or from unauthorized machines
>
> repeat the process for every needed user.
>
> As a rule of thumb, you could setup a password
> aging period of 1 day, allow only passwords of
> 7 chars or more, keep the last 10 passwords and
> lock the account after 3 failed access attempts
> unlocking it after 60 minutes. Be sure that none
> of the users (students) has admin privileges but
> set them all inside a group and give to the group
> *only* the required privileges/permissions
>
> Additionally if you specified a "time window" as
> seen above, you could force an "end session"
> so that if someone leaves a machine powered
> on and logged it won't create a security hole.
>

But will that stop "jsmith" with password "fubar9" from effectively logging
in 20 times by passing his username and password to 19 other students? I get
the impression that this was all that the original poster was looking for. 

--
*** E-mail return address will not work!
*** Please reply in group or through my website.
John McGaw
Knoxville, TN, USA
http://johnmcgaw.com