Prevent Simultaneous Logins in Windows 2000

Has anyone found a successfull way to prevent users loging in to more than one machine at a time with same account, while not restricting them to certain machines ?

Have tried some utilities that claim to do this but they only restrict access to particular machines which can be done directly in Windows anyway.

Background: college environment, users login to selection of different machines in labs.  Users can pass around and share account details with anyone.  Need to restrict only one login per user account at any one time.

Any suggestions or shared experiences or work-arounds in this area welcome,

thank you,

Who is Participating?

Improve company productivity with a Business Account.Sign Up

mrwolfConnect With a Mentor Commented:
Limiting a User's Concurrent Connections in Windows 2000 and Windows NT 4.0 (Q237282);en-us;Q237282

This article describes how to limit concurrent connections for all users in a Windows 2000 or Windows NT 4.0 environment.

Install the Windows 2000 Resource Kit tool named CConnect.exe on each client computer. This tool, in conjunction with an .adm file supplied by the tool, can perform the following functions:

Limit concurrent connections per user.

Log off remote computers when concurrent connections are reached.

List all computers that a user is logged on to.

List logon servers for each user.

Show how many users are logged on to a domain controller (DC).

Force a logoff when concurrent connections are reached.

Enable debugging of the CConnect tool.

Write events to the event log of a specified server concerning the status of the CConnect tool.

Save all lists to a file for further examination.

Track the last user of the computer and only limit that user from logging on to the computer if the computer was shut down improperly.

This tool is included with the Windows 2000 Resource Kit and works with both Windows NT 4.0 and Windows 2000. For Windows 2000, there are no system requirements. For Windows NT 4.0, the following requirements exist:
Windows NT 4.0 Service Pack 3 or later must be installed.

Microsoft Data Access Components (MDAC) 2.0 must be installed.

Windows Scripting Host must be installed.

Web Based Enterprise Management (WBEM) must be installed.

Version 2.0
Version 2.0 supports Terminal Server restrictions.
Windows NT 4.0 Terminal Server: Service Pack 4 or later
Windows 2000: No requirements
Version 2 will be available for public use on the next Windows 2000 Resource Kit. Version 1.3 is on the first Windows 2000 Resource Kit.

Here is what I found.
0296 ; A better way to prevent a user from logging on more than once.

 In tip 175, I described a method for preventing a user from logging on more than once. Now, thanks to Nick Brown, there is a better way.

 Download NTNAME.ZIP. Here are excerpts from the NTNAME.DOC:

 NTNAME - a program to enforce one-logon-per-user

 NTNAME is a small utility which helps you build an NT network in which users can log on only once.

 You will need to combine NTNAME with an automatic logoff program such as LOGOUT.EXE (see tip 184 ), and have a consistent approach to user logon scripts.

 When you log on to NT, your PC adds a NetBIOS name consisting of your username, with Byte16=0x03. This name is used to send you broadcast messages; for example, when a print job completes.

 NTNAME simply checks to see whether the given name (specified as a command line parameter, although I suppose it could have been extracted from the environment in %USERNAME%) is owned by the current PC. If so, it outputs nothing and returns errorlevel 0. If not, it outputs the name of the owning system to the standard output (so you can capture it in a file) and returns errorlevel 1.

 If you get this errorlevel, it generally means that you are already logged in on another PC. It's then up to you to write a logon script to detect this and log the user off. On our site it looks something like this:

 if not errorlevel 1 goto logon_ok
 for /f %%f in ('TYPE %TEMP%\OTHERPC.TXT') do @echo Already logged onto %%f %0\..\logout.exe

 You can make a prettier message with a scripting tool like KIXtart. Just remember that because you can't do system modal dialogs in NT, if you allow a wait for the user to read the message before starting the logoff, you allow the user time to find the process which is about to log them off, and kill it.

 The main problem will be if you have multiple domains and workgroups on your LAN with different people creating usernames.
 In this case user SMITH in one domain can fail to logon because user SMITH in another domain in not logged off.

 In this case you can try NTNAME2. This adds your NetBIOS name, with a Byte16 value which you can specify (default is 0xCE).
 If you use a different Byte16 value on each domain, or even if you just use NTNAME2 on your domain and don't bother on the others, you should avoid conflicts. However, this is slightly slower (you have to wait for the check to time out when adding the name), and you risk conflicts with other NetBIOS applications which might use your Byte16 value.

 There are a couple of disadvantages to the approach in tip 175:

 - If the home share's server is down, you can log on anyway (another BDC will take over). You might not want to stop people
 from working in this case.

 - If another user accidentally connects to the home share, it will eat the only allowed connection. This can happen very easily, even with hidden share names. For example, if Fred and Joe share a PC, and use Outlook, and they don't have the master's degree in nuclear physics required to get the Outlook bar onto a network drive, they will share an Outlook bar. If Fred puts a shortcut to his home share on there, and Joe clicks on it, then Joe will connect to Fred's home share, even if the share-level protection is set up to deny him access, and the connection won't go away until Joe logs out!!! The network security is only applied after you have connected.
175 ; Prevent users from logging on more than once.

 Other than restricting logon to a single computer, Windows NT does not support any standard method of preventing multiple logons. Here is a method that does work:

 1. Create a hidden share for each user's home directory and assign share permissions for that user only. I use meaningless alphanumeric strings to prevent guessing the share name. Example: a1hl2o$. Set the User Limit to Allow 1 Users

 2. Create a %UserName%.txt file in each user's home directory with read permissions only for that user.

 3. Implement a KixTart login script per tip 120.

 4. Add the following to the logon script, immediately before the cookie1 statement.

     $K = "@LSERVER" + "\" + "NETLOGON" + "\" + "Once.txt"
     $J = "x:\" + "@USERID" + ".txt"
     if exist ("$J")
      goto done
     AT (1,1)
     display "$K"
     Sleep 3
     $RC = shutdown("", "Shutdown in progress!", 0, 1, 0)

 Where once.txt is in the NetLogon share and contains:

     You are logged on more than once!
     Press CTRL + ALT + DELETE
     Press Shutdown

 Why does this method work? Since only 1 user is allowed to connect to the user's share, the use command in the logon script fails to map a drive letter if 1 connection to that share already exits. This causes the if exist on %UserName%.txt to be false, invoking the shutdown process. Since the logon script hasn't finished, the manual keystrokes requested in once.txt are required. If a user does not follow these instructions, they are prevented from completing the logon because the shutdown is pending.


I hope this helps !
littlemissgAuthor Commented:
Thank you both.

SysExpert:  I had come across this solution before on on the web but had no success in attempts to implement it, it is quite messy, thanks though.

MrWolf:  This sounds promising, this Resourse Kit utility had escaped me.  I have read up on it today and like the way is sounds, using Group Policy & SQL server etc.  I will try testing it out over the next couple of days when time permits and post the outcome asap.


littlemissgAuthor Commented:
Thanks MrWolf, the CConnect utility works a treat, thanks a mill,
Hello Littlemsg and all

have you implemented this using NTNAME ? i have made to work with NTNAME, but my problem is the NTNAME is not working in some machines and working on most of the machines.

my script looks similar to

net use z: /d
net use z: \\server\netlogon

if not errorlevel 1 goto logon_ok

for /f %%f in ('TYPE %TEMP%\OTHERPC.TXT') do @ echo Already logged onto %%f


net use z: /delete

wht could be the problem?
it will be much more useful for me if someone could throw some light on this issue

Thanks to all
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.