Nitesh said:
Hi all,
Iam having a network on Windows server 2003 Active directory Domain.
By Default Active directory allows single user to logon to multiple
computers simultaneously.
for example one user USER A can logon to COMPUTER A and simultaneously he
can Logon to COMPUTER B also without loggingoff from COMPUTER A.
Now for some reasons I want to restrict the Domain Users to logon to
multiple computers simultaneously, without restricting them to logon to some
particular systems only.measn I want to set them free to logon to any
computer in domain but restrict their logon session in domain to only once
till they logout.
Thanx in advance.
Regards
Nitesh
At work I was required to do this in order to meet Security requirements of the
government. I created 2 scripts (one is executed in a GPO at login, the other
in a GPO at logoff). I created a new attribute in the ADS schema and added it
to the user object class. The attribute is a single valued case-insensitive
string that keeps track of the hostname of the machine that the user has logged
in to. When the user logs in the hostname of the machine is put into the
attribute of the user object. If the user logs in somewhere else the hostname of
*that* machine is grabbed and compared to the hostname stored. If they do not
match then the script uses WMI to force the user to be logged off. If they do
match the script assumes that something bad happened before (improper shutdown)
that caused the logoff script to not blank out the attribute and so it lets the
user in. By setting the GPO option of running scripts synchronously you can set
it up so that the script pops up a VBS window letting the user kno what happened
and during this time the Desktop won't load until the script finishes.
Unfortunately for the user as soon as the OK button on their popup window is
clicked the last thing in the script is to log them off, so the user never has a
chance to actually see his/her Desktop due to it not loading until the script
was finished. This has worked out very nicely for the system I implemented this
on. Incidentally the log off script has the intelligence to not totally blank
out the attribute when logging the usre out of their 2nd session; it still keeps
the original hostname so that a 3rd attempt at a login would fail as well.
This may not have the flexibility of LimitLogin but if you only want the users
to login once for any machine in the domain then it will work fine. I'm sure
you could modify the attribute to be multi valued and parse each hostname that
is stored in order to keep track of however many logins you would want per user
although it still wouldn't let you have varying login counts per user (not sure
of the usefulness of that anyway; the admins at work are the only ones who are
allowed to login more than once and even they are at least alerted to their
other logins with the same script).
hope this helps
brandon