Can Windows 2003 limit Concurrent logon

  • Thread starter Thread starter Jason
  • Start date Start date
J

Jason

I suppose not but one of my peer colleague said that it's built in or
extended as a user attribute by runnning an snap-in ( which I doublt) and no
need for a SQL backend.

The previous version of "CConnect" is good for w2k and NT4 while the beta
version of "LmitLogin" disappeared from MS beta web link, am I missing one
of the the latest and the greatest user attribute ?

Thanks in advance !

Jason
 
The only way I have ever seen to do this in 2k/ 2k3 server is to write a
script in the logon that either increments a tracking file or writes to a
database on logon attempt. I have never seen anything in the AD to limit
this.

Anyone else??
 
One of our branch office was challenged by Federal Auditors that ( we are
w2K AD domain ) we do not have mechanism in place to limit concurrent user
logon .( But we are a huge oragnization that talking about 600 DCs
globally - what can be a better solution not to use native Windows Tools if
any ,other than going for third party product like "Userlock" ?)

Jason
 
There is also the old Windows 2000 resource kit tool called CCONNECT.EXE

Q: Restricting the Number of Concurrent Logons
A: This week, we first visit the continuing saga of network administrators
that need to manage their company's computing resources in a more granular
way. And who can blame them, with the occasional wild horse out there that
insists on doing things 'their way'. Let's remember, those computing
resources are the assets of your company, after all, and the cost of
supporting the ever increasing number of users is not getting any cheaper.
That's why there's the Zero Administration Kit and the continuing work done
in this area in Windows 2000.

"How can I restrict the number of concurrent logons on a per-user basis?"

This is question that has been asked for a long time. Finally, there appears
to be a resolution to the network administrator's need to limit the number
of concurrent logons a user can perform.

In the upcoming Windows 2000 Resource Kit, there is a tool called
CCONNECT.EXE. This tool will provide a method to track users concurrent
connections and monitor which computers users are logged into. CCONNECT will
run on Windows NT 4.0 SP4 (and up) and Windows 2000. The Windows 2000
Resource Kit is currently in beta, and parts of the Resource Kit are being
distributed on the Windows 2000 Release Candidate 2 beta CDs. Unfortunately,
CCONNECT is not one of the utilities that is included on the RC2 disk, so
you'll have to wait for the final release of the Resource Kit. Please keep
in mind: just like all betas, content (or features) are subject to
change—which includes what will make it in the final release. But we all
knew that.

To give you some more detail on what to expect with CCONNECT, here is the
current list of features:

a.. Completely hidden from the end user's view
b.. Keeps track of all computers that users are logged into
c.. Allows concurrent connection limitations to be set on a per-user/group
basis
d.. All information is kept in a SQL database managed by the Administrator
e.. Tracks last known user of the computer
f.. Monitors what logon server users are logging into
CCONNECT comes with a Group Policy ADM file. This ADM file can be loaded
into System Policy Editor and allows multiple settings to be created through
group policy. These settings are:

a.. Concurrent Connection Maximums
b.. The SQL server connection information.
c.. Track Last User
d.. Enable Debugging
e.. Disable Remote Logoff Feature
f.. Enable Force Logoff
g.. Enable Event Logging
h.. Enable Timer Logoff
i.. Enable Silent Mode

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups
 
Mike , the reason that we don't use CConnect is that :-

- it requires a SQL database, which need to be distributed across regions.
- it require client software to be installed
- it 's a resource kit tools which is not offically supported by Microsoft
( we have 40K users and PC )

Unfortunately , seems like even with W2k3, there is no such tool ? What
about the LimitLogin beta ?

Jason
 
I did find this document when I was looking it up, it just bothers me that
it dates to the time before the 2000 ResKit was even released and there is
nothing on it after that. They did say that there would be an ADM for it to
control it with a GPO.

This might be the way to go if you can get it tested and going.
 
I suppose not but one of my peer colleague said that it's built in or
extended as a user attribute by runnning an snap-in ( which I doublt) and no
need for a SQL backend.

The previous version of "CConnect" is good for w2k and NT4 while the beta
version of "LmitLogin" disappeared from MS beta web link, am I missing one
of the the latest and the greatest user attribute ?

Thanks in advance !

Jason
Click to expand...

See tip 8768 in the 'Tips & Tricks' at http://www.jsiinc.com

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
 
(Thanks Jerold )

I have further questions that I wish to be answered :-

- Does "RUNAS" an authention and treated as a "logon" ?
- If a user have map drives to folder resource for example , is this treated
as a logon by Windows strictly speaking ?


Jason
 
Jason said:
(Thanks Jerold )

I have further questions that I wish to be answered :-

- Does "RUNAS" an authention and treated as a "logon" ?
- If a user have map drives to folder resource for example , is this
treated as a logon by Windows strictly speaking ?
Click to expand...

If the user is using a different set of credentials to access a resource at
a file sever then that server will use those credentials to do an
authentication and the build a locally held access token to verify
authorization to that resource.

the problem here is that you never really logon to anything other then your
PC - your access to resources results in those servers performing an
authentication of the credentials you provide whatever they may be) and then
building the relevant access token for use by the security manager and
object manager to check you access permission on the resource.

Windows is not really like a classic man frame etc where you logon to the
system - you are logged on to your PC and then in part by every system you
access for resources - think of it like lots of local logons to those
servers etc.


--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups
 
Back
Top