Re: Multiple Login
From: Brandon McCombs (bmccombs_at_ma.rr.com)
Date: 03/11/05
- Next message: David H. Lipman: "Re: Hidden malware"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: Malicious software removal tool"
- In reply to: Torgeir Bakken \(MVP\): "Re: Multiple Login"
- Next in thread: Torgeir Bakken \(MVP\): "Re: Multiple Login"
- Reply: Torgeir Bakken \(MVP\): "Re: Multiple Login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Mar 2005 00:07:40 GMT
"Torgeir Bakken (MVP)" wrote:
> Mike Hartman wrote:
>
> > I have a simple question and one that Ishould know the answer to. Does
> > anyone know how to block users from logging into multiple machines at the
> > same time? I have Windows XP Pro clients and Windows 2000 servers in an
> > active directory environment.
> Hi
>
> Nothing builtin that can help you here I'm afraid (but I think
> Microsoft is going to release something this year that supports this).
>
> The UserLock product in the link below is an option
> http://www.softwareshelf.com/products/display.asp?p=42
>
> Microsoft's current solution:
>
> You could install the CCONNECT Microsoft Resource Kit utility onto every
> computer, it is in the Win2k Server Resource Kit, Supplement 1 (pay ware, and
> you will need a SQL server database as well).
>
> More about CCONNECT here:
> http://groups.google.co.uk/groups?selm=3F5CE888.8A3EE8D3%40hydro.com
>
> Coming from Microsoft is a product called LimitLogin (still in beta):
> http://bink.nu/?ArticleID=1452
>
> Here is a third option you may get to work:
>
> Tip 296 at http://www.jsiinc.com/
>
> 0296 ยป A better way to prevent a user from logging on more than once.
> http://www.jsiinc.com/SUBA/tip0200/rh0296.htm
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
Instead of the current "solutions" which require database installations I simply
added an integer attribute to the Active Directory schema with a minimum value of
0 and then edited the user object class to have the new attribute as optional.
I created a logon and logoff script that will either increment or decrement this
value to keep track of logons. The logon script will increment the value to 1 if
it is 0 and if it is 1 it will increment to 2, pop up a dialog alerting the user
to what is hapening (if they are already logged in somewhjere else) and when the
user clicks OK the script utilizes the WMI shutdown ability to log the user off
w/o them being able to do anything. The logoff script simply decrements the
integer (not necessarily to a 0). When a group policy is in place that makes
scripts run synchronously the Desktop and icons will not show up because the user
is immediately logged off. The scripts are put into 2 separate group policies,
one as a login and the other as a logoff script. It works quite nicely
considering it's a free solution. The scripts are heavily optimized by grabbing
the windows environment variable containing the username and using that as a
search filter in the LDAP query. That way there is only one result returned from
the ADS query and I don't have to have a loop setup. The workstation environment
variable was also grabbed in order to use it as an argument to the function that
logs the user off the workstation using WMI.
Further details:
I then modified the security permissions of the OUs the users are located in and
added the SELF user principal name. I clicked Advanced on the permissions window
so I could get more granular control of permissions. I selected the SELF entry
and clicked Edit. I then clickd on the Properties tab and chose User Objects in
the Apply Onto dropdown box. Then I gave Allow access to "Write
<newattributename>". Basically, this gives regular users the correct permission
to write a value to the new attribute but it only allows them to write to their
own w/o having to specify each user explicitly because I used the SELF user
principal name.
For users who got created before the new attribute was part of the user object
class I simply made a script that grabbed all the users in the OUs that I had
added and set their attribute value to a 0 to basically initialize it. For users
who haven't been created yet the attribute is initialized by how the logon script
first sets it.
If this is a bit confusing feel free to email me with questions.
Brandon
- Next message: David H. Lipman: "Re: Hidden malware"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: Malicious software removal tool"
- In reply to: Torgeir Bakken \(MVP\): "Re: Multiple Login"
- Next in thread: Torgeir Bakken \(MVP\): "Re: Multiple Login"
- Reply: Torgeir Bakken \(MVP\): "Re: Multiple Login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
