Solved

Prevent Simultaneous Logins in Windows 2000

Posted on 2002-05-24
5
2,544 Views
Last Modified: 2007-12-19
Has anyone found a successfull way to prevent users loging in to more than one machine at a time with same account, while not restricting them to certain machines ?

Have tried some utilities that claim to do this but they only restrict access to particular machines which can be done directly in Windows anyway.

Background: college environment, users login to selection of different machines in labs.  Users can pass around and share account details with anyone.  Need to restrict only one login per user account at any one time.

Any suggestions or shared experiences or work-arounds in this area welcome,

thank you,
LMG

0
Comment
Question by:littlemissg
5 Comments
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Here is what I found.

http://www.jsiinc.com/TIP0200/rh0296.htm
http://www.jsiinc.com/TIP0100/rh0175.htm
0296 ; A better way to prevent a user from logging on more than once.

 In tip 175, I described a method for preventing a user from logging on more than once. Now, thanks to Nick Brown, there is a better way.

 Download NTNAME.ZIP. Here are excerpts from the NTNAME.DOC:

 NTNAME - a program to enforce one-logon-per-user

 NTNAME is a small utility which helps you build an NT network in which users can log on only once.

 You will need to combine NTNAME with an automatic logoff program such as LOGOUT.EXE (see tip 184 ), and have a consistent approach to user logon scripts.

 When you log on to NT, your PC adds a NetBIOS name consisting of your username, with Byte16=0x03. This name is used to send you broadcast messages; for example, when a print job completes.

 NTNAME simply checks to see whether the given name (specified as a command line parameter, although I suppose it could have been extracted from the environment in %USERNAME%) is owned by the current PC. If so, it outputs nothing and returns errorlevel 0. If not, it outputs the name of the owning system to the standard output (so you can capture it in a file) and returns errorlevel 1.

 If you get this errorlevel, it generally means that you are already logged in on another PC. It's then up to you to write a logon script to detect this and log the user off. On our site it looks something like this:

 NTNAME %USERNAME% >%TEMP%\OTHERPC.TXT
 if not errorlevel 1 goto logon_ok
 for /f %%f in ('TYPE %TEMP%\OTHERPC.TXT') do @echo Already logged onto %%f %0\..\logout.exe
 :logon_ok

 You can make a prettier message with a scripting tool like KIXtart. Just remember that because you can't do system modal dialogs in NT, if you allow a wait for the user to read the message before starting the logoff, you allow the user time to find the process which is about to log them off, and kill it.

 The main problem will be if you have multiple domains and workgroups on your LAN with different people creating usernames.
 In this case user SMITH in one domain can fail to logon because user SMITH in another domain in not logged off.

 In this case you can try NTNAME2. This adds your NetBIOS name, with a Byte16 value which you can specify (default is 0xCE).
 If you use a different Byte16 value on each domain, or even if you just use NTNAME2 on your domain and don't bother on the others, you should avoid conflicts. However, this is slightly slower (you have to wait for the check to time out when adding the name), and you risk conflicts with other NetBIOS applications which might use your Byte16 value.

 There are a couple of disadvantages to the approach in tip 175:

 - If the home share's server is down, you can log on anyway (another BDC will take over). You might not want to stop people
 from working in this case.

 - If another user accidentally connects to the home share, it will eat the only allowed connection. This can happen very easily, even with hidden share names. For example, if Fred and Joe share a PC, and use Outlook, and they don't have the master's degree in nuclear physics required to get the Outlook bar onto a network drive, they will share an Outlook bar. If Fred puts a shortcut to his home share on there, and Joe clicks on it, then Joe will connect to Fred's home share, even if the share-level protection is set up to deny him access, and the connection won't go away until Joe logs out!!! The network security is only applied after you have connected.
---
http://www.jsiinc.com/SUBA/tip0200/rh0296.htm
http://www.jsiinc.com/suba/tip0100/rh0175.htm
http://www.jsiinc.com/suba/tip0100/rh0120.htm
175 ; Prevent users from logging on more than once.

 Other than restricting logon to a single computer, Windows NT does not support any standard method of preventing multiple logons. Here is a method that does work:

 1. Create a hidden share for each user's home directory and assign share permissions for that user only. I use meaningless alphanumeric strings to prevent guessing the share name. Example: a1hl2o$. Set the User Limit to Allow 1 Users

 2. Create a %UserName%.txt file in each user's home directory with read permissions only for that user.

 3. Implement a KixTart login script per tip 120.

 4. Add the following to the logon script, immediately before the cookie1 statement.

     $K = "@LSERVER" + "\" + "NETLOGON" + "\" + "Once.txt"
     $J = "x:\" + "@USERID" + ".txt"
     if exist ("$J")
      goto done
     endif
     CLS
     AT (1,1)
     display "$K"
     Sleep 3
     $RC = shutdown("", "Shutdown in progress!", 0, 1, 0)
     :done

 Where once.txt is in the NetLogon share and contains:

     You are logged on more than once!
     Press CTRL + ALT + DELETE
     Press Shutdown

 Why does this method work? Since only 1 user is allowed to connect to the user's share, the use command in the logon script fails to map a drive letter if 1 connection to that share already exits. This causes the if exist on %UserName%.txt to be false, invoking the shutdown process. Since the logon script hasn't finished, the manual keystrokes requested in once.txt are required. If a user does not follow these instructions, they are prevented from completing the logon because the shutdown is pending.

---------------

I hope this helps !
0
 
LVL 3

Accepted Solution

by:
mrwolf earned 500 total points
Comment Utility
Limiting a User's Concurrent Connections in Windows 2000 and Windows NT 4.0 (Q237282)

http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q237282

SUMMARY
This article describes how to limit concurrent connections for all users in a Windows 2000 or Windows NT 4.0 environment.



MORE INFORMATION
Install the Windows 2000 Resource Kit tool named CConnect.exe on each client computer. This tool, in conjunction with an .adm file supplied by the tool, can perform the following functions:

Limit concurrent connections per user.


Log off remote computers when concurrent connections are reached.


List all computers that a user is logged on to.


List logon servers for each user.


Show how many users are logged on to a domain controller (DC).


Force a logoff when concurrent connections are reached.


Enable debugging of the CConnect tool.


Write events to the event log of a specified server concerning the status of the CConnect tool.


Save all lists to a file for further examination.


Track the last user of the computer and only limit that user from logging on to the computer if the computer was shut down improperly.


This tool is included with the Windows 2000 Resource Kit and works with both Windows NT 4.0 and Windows 2000. For Windows 2000, there are no system requirements. For Windows NT 4.0, the following requirements exist:
Windows NT 4.0 Service Pack 3 or later must be installed.


Microsoft Data Access Components (MDAC) 2.0 must be installed.


Windows Scripting Host must be installed.


Web Based Enterprise Management (WBEM) must be installed.


Version 2.0
Version 2.0 supports Terminal Server restrictions.
Requirements
Windows NT 4.0 Terminal Server: Service Pack 4 or later
Windows 2000: No requirements
Version 2 will be available for public use on the next Windows 2000 Resource Kit. Version 1.3 is on the first Windows 2000 Resource Kit.


--------------------------------------------------------------------------------
0
 

Author Comment

by:littlemissg
Comment Utility
Thank you both.

SysExpert:  I had come across this solution before on on the web but had no success in attempts to implement it, it is quite messy, thanks though.

MrWolf:  This sounds promising, this Resourse Kit utility had escaped me.  I have read up on it today and like the way is sounds, using Group Policy & SQL server etc.  I will try testing it out over the next couple of days when time permits and post the outcome asap.

thanks.

0
 

Author Comment

by:littlemissg
Comment Utility
Thanks MrWolf, the CConnect utility works a treat, thanks a mill,
LMG.
0
 

Expert Comment

by:nets
Comment Utility
Hello Littlemsg and all

have you implemented this using NTNAME ? i have made to work with NTNAME, but my problem is the NTNAME is not working in some machines and working on most of the machines.

my script looks similar to

@ECHO OFF
net use z: /d
net use z: \\server\netlogon

z:\ntname %USERNAME% >%TEMP%\OTHERPC.TXT
if not errorlevel 1 goto logon_ok

for /f %%f in ('TYPE %TEMP%\OTHERPC.TXT') do @ echo Already logged onto %%f

z:\logout.exe
:logon_ok

net use z: /delete

wht could be the problem?
it will be much more useful for me if someone could throw some light on this issue

Thanks to all
Sakthis
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now