Solved

User Logons: Windows Domain

Posted on 2004-08-25
11
291 Views
Last Modified: 2010-04-11
Hello,

I would like to allow the users in my win2k server/xp client domain to only be allowed to log on to any one worstation at a time. I am not using terminal services it is just a standard server/client setup with AD. E.G. if I have a user account called student07 i dont want him to be able to log onto PC01 and PC02 at the same time. Is this a GPO setting or a AD users and computer setting? Where do I find it on WIN2K server.

Thanks
0
Comment
Question by:TawVb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 3

Assisted Solution

by:Julian_C
Julian_C earned 50 total points
ID: 11891304
Hi

I'm very sorry to say that this is not possible with "out of the box"  win2k installation. You can achieve something like this using the resource kit tool cconnect.exe but this uses a database to keep a track of logons and I've read lots of reports that it doesn't handle logoff very well and it easy to get yourself prevented from logging in at all.

Sorry to bear the bad news.

Cheers
Julian
 
0
 
LVL 3

Expert Comment

by:Julian_C
ID: 11891324
check out the following for the low down:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q237282

Cheers
Julian
0
 
LVL 104

Accepted Solution

by:
Sembee earned 75 total points
ID: 11891718
The other way that you can do it - if each user has their own share is to limit the number of connections to each share. Run a login script that checks for a successful connection to the share and logs off again if the connection fails (because the user is already connected).

Simon.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Expert Comment

by:vand
ID: 11892479
Quote from WINNT Magazine

The good news is that you can use the Microsoft Windows 2000 Server Resource Kit's Con-Current Connection Limiter utility (cconnect.exe) to restrict concurrent user logons. The bad news is that the tool has a somewhat involved installation procedure. You must install cconnect.exe on each of your Win2K and Windows NT 4.0 Service Pack 4 (SP4) or later clients (the utility doesn't support pre-SP4 NT, Windows Me, or Windows 9x clients). Furthermore, to successfully run Cconnect, your NT clients must also run Microsoft Data Access Components (MDAC) 2.0, Windows Script Host (WSH), and Web-Based Enterprise Management (WBEM). And you must set up a Microsoft SQL Server 6.5 or later database in which cconnect.exe will store data.

Setting up Cconnect takes a bit of effort, but the rewards make the trouble worthwhile. This versatile utility includes several components, including logon and logoff VBScript scripts and batch files, a client-side executable and setup utility, an administrative console and setup utility, documentation, and other assorted files. The tool's features not only let you limit concurrent connections on a per-user basis but also let you list the computers and logon servers that users are logged on to, save the lists to a file for further examination, determine how many users are logged on to a domain controller (DC), force logoffs when users reach the concurrent-connections limit, identify an improper shutdown and lock the system so that only the most recent user can log back on, debug the tool, and write events concerning the tool's status to a specified server's event log.

Cconnect.exe includes the cconnect.adm file, which you can use in conjunction with Win2K Group Policy and NT 4.0 System Policy to configure the tool's settings. One of these settings is cconnect.exe's SQL Server connection information. You must use the .adm file to supply certain SQL Server logon credentials (i.e., your SQL Server system name and a SQL Server username and password) so that the utility can access the SQL Server database in which it stores information. (Optionally, you can enter this information in the registry or you can enter the information manually, as Figure 1 shows, the first time you run cconnect.exe on each client. For detailed information about installing, configuring, and administering cconnect.exe, refer to the cconnect.doc file, which resides along with the utility's other components in the resource kit CD-ROM's \apps\cconnect folder.)
0
 
LVL 3

Expert Comment

by:Julian_C
ID: 11892592
Hi Simon,

The limited connection share control is a nice clean method of limitting users to a single session I think. However, without further controls, users could always disconnect from the share before logging on elsewhere and it's amazing how far users will go to get around the policies admins put in place ;-)

Cheers
Julian
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11892928
I investigated using a file that was written on login and then deleted on logoff - but if the user doesn't logoff correctly or the machine crashes then an admin has to go in and delete the files.

If users are that determined to login at two machines, then a quote springs to mind...

"There are seldem technical solutions to management / behavioural problems".

Simon.
0
 

Author Comment

by:TawVb
ID: 11898438
Thanks all. Such a simple common task yet MS does not provide a GPO setting. Disapointing really. Simon, what would be the best way in vbs to check to see if the \\server\%username%$ share cannot be connected to (because max connections are reached)?

Thankyou Again.
0
 
LVL 3

Expert Comment

by:Julian_C
ID: 11900733
No worries, it is a shame tho. As for the .vbs, as far as I'm aware the way this works in whatever script type you do it is that the logon script attempts to connect to the share. If you get an error (as the max connections is exceeded and access is denied) then the user is logged off. Just error trapping really. Is that right Simon? If Simon doesn't have an example of this then it wouldn't take long to knock up a vbs example if you need it?

Cheers
Julian
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11901739
Julian has it correct - simple error trapping to cause the script to do something else if the mapping doesn't take.

I don't have a VBS example, but here is one used in a conventional batch file:

net use U: \\fileserver\%username%$
if errorlevel 1 goto logoff
goto continue
:logoff
net send localhost "You are logged in elsewhere. Please log off a the other terminal before trying again."
logoff
:continue
setx homedrive "U:"
setx homepath "\"
(rest of the script)

(Source: http://www.amset.info/windows/limit-logins.asp)

Simon.
0
 
LVL 3

Expert Comment

by:Julian_C
ID: 12578095
Personally I think that, whilst my original answer worked, Sembee's was generally cleaner, and didn't require extra software above a standard install and therefore he's got to get more points than me if they are split.

Cheers
Julian
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question