Elton said:
Thanks Paul for the prompt reply. The since English is not my primary
language, I may not delivery properly writting ...
"Anyway you will have to upgrade to 2003 to use limitlogin"
The limitlogin that you mention is the application written by 3rd party or
one of the feature in 2k3 AD?
Because we have a plan to upgrade the AD to 2k3, however try not to use non
build-in or none microsoft solution for the problem. Further, it seems like
the product will limit login of Intranet web services as well. Is that mean
if users login to Intrnet web site that required AD authentication will also
get affected as well?
thanks
i think MS not implementing this as a builtin function is pretty
shortsighted on their part but anyway, my solution is similar to what I
believe the limitlogin application does (keeps track of hostname).
My news server doesn't go back far enough to have the message that I
posted on this subject previously however I believe the subject title
was "recording users logon/logoff times". A summary if you can't find
that is that I created my own attribute in the AD schema to keep track
of the hostname the user is curently logged into. I update that with a
vb script when the user logs in and with another script that resets the
value back to a "null" when the user logs off.
The logon script checks the value of that string and if it is "null" it
lets the user login, when the value of the string is the same as the
hostname of the machine they are currently trying to log into the script
assumes they were improperly knocked off of the machine and still lets
them in. If the value is different (2 different hostnames) the script
assumes they are already logged in somewhere and with a WMI method call
it will log them off immediately. In conjunction with a GPO setting that
makes scripts run synchronously at login it allows nothing else to load
(other than wallpaper) so a user isn't able to do anything before they
get logged off (other than click an OK button on the vb window I pop up
alerting the user as to what is going on).
For administrators we (in a gov't facility) were able to write a
justification to show that admins needed to login in multiple times so
they allowed us to still implement the script for the admins but we were
allowed to just warn the admins that they were logged in somewhere else
and not force them to be kicked off the machine. This solution does not
require any database like the cConnect application does and it also
doesn't require win2k3 as far as I know because you just need to change
the schema, use WMI, and then ideally have the GPO setting available to
you as well in the win2k3 gpo settings. If you have all that then you
can do this and from what I've seen it works very well.
hope that helps
