Solved

User Logons: Windows Domain

Posted on 2004-08-25
11
287 Views
Last Modified: 2010-04-11
Hello,

I would like to allow the users in my win2k server/xp client domain to only be allowed to log on to any one worstation at a time. I am not using terminal services it is just a standard server/client setup with AD. E.G. if I have a user account called student07 i dont want him to be able to log onto PC01 and PC02 at the same time. Is this a GPO setting or a AD users and computer setting? Where do I find it on WIN2K server.

Thanks
0
Comment
Question by:TawVb
11 Comments
 
LVL 3

Assisted Solution

by:Julian_C
Julian_C earned 50 total points
Comment Utility
Hi

I'm very sorry to say that this is not possible with "out of the box"  win2k installation. You can achieve something like this using the resource kit tool cconnect.exe but this uses a database to keep a track of logons and I've read lots of reports that it doesn't handle logoff very well and it easy to get yourself prevented from logging in at all.

Sorry to bear the bad news.

Cheers
Julian
 
0
 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
check out the following for the low down:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q237282

Cheers
Julian
0
 
LVL 104

Accepted Solution

by:
Sembee earned 75 total points
Comment Utility
The other way that you can do it - if each user has their own share is to limit the number of connections to each share. Run a login script that checks for a successful connection to the share and logs off again if the connection fails (because the user is already connected).

Simon.
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
Quote from WINNT Magazine

The good news is that you can use the Microsoft Windows 2000 Server Resource Kit's Con-Current Connection Limiter utility (cconnect.exe) to restrict concurrent user logons. The bad news is that the tool has a somewhat involved installation procedure. You must install cconnect.exe on each of your Win2K and Windows NT 4.0 Service Pack 4 (SP4) or later clients (the utility doesn't support pre-SP4 NT, Windows Me, or Windows 9x clients). Furthermore, to successfully run Cconnect, your NT clients must also run Microsoft Data Access Components (MDAC) 2.0, Windows Script Host (WSH), and Web-Based Enterprise Management (WBEM). And you must set up a Microsoft SQL Server 6.5 or later database in which cconnect.exe will store data.

Setting up Cconnect takes a bit of effort, but the rewards make the trouble worthwhile. This versatile utility includes several components, including logon and logoff VBScript scripts and batch files, a client-side executable and setup utility, an administrative console and setup utility, documentation, and other assorted files. The tool's features not only let you limit concurrent connections on a per-user basis but also let you list the computers and logon servers that users are logged on to, save the lists to a file for further examination, determine how many users are logged on to a domain controller (DC), force logoffs when users reach the concurrent-connections limit, identify an improper shutdown and lock the system so that only the most recent user can log back on, debug the tool, and write events concerning the tool's status to a specified server's event log.

Cconnect.exe includes the cconnect.adm file, which you can use in conjunction with Win2K Group Policy and NT 4.0 System Policy to configure the tool's settings. One of these settings is cconnect.exe's SQL Server connection information. You must use the .adm file to supply certain SQL Server logon credentials (i.e., your SQL Server system name and a SQL Server username and password) so that the utility can access the SQL Server database in which it stores information. (Optionally, you can enter this information in the registry or you can enter the information manually, as Figure 1 shows, the first time you run cconnect.exe on each client. For detailed information about installing, configuring, and administering cconnect.exe, refer to the cconnect.doc file, which resides along with the utility's other components in the resource kit CD-ROM's \apps\cconnect folder.)
0
 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
Hi Simon,

The limited connection share control is a nice clean method of limitting users to a single session I think. However, without further controls, users could always disconnect from the share before logging on elsewhere and it's amazing how far users will go to get around the policies admins put in place ;-)

Cheers
Julian
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 104

Expert Comment

by:Sembee
Comment Utility
I investigated using a file that was written on login and then deleted on logoff - but if the user doesn't logoff correctly or the machine crashes then an admin has to go in and delete the files.

If users are that determined to login at two machines, then a quote springs to mind...

"There are seldem technical solutions to management / behavioural problems".

Simon.
0
 

Author Comment

by:TawVb
Comment Utility
Thanks all. Such a simple common task yet MS does not provide a GPO setting. Disapointing really. Simon, what would be the best way in vbs to check to see if the \\server\%username%$ share cannot be connected to (because max connections are reached)?

Thankyou Again.
0
 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
No worries, it is a shame tho. As for the .vbs, as far as I'm aware the way this works in whatever script type you do it is that the logon script attempts to connect to the share. If you get an error (as the max connections is exceeded and access is denied) then the user is logged off. Just error trapping really. Is that right Simon? If Simon doesn't have an example of this then it wouldn't take long to knock up a vbs example if you need it?

Cheers
Julian
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Julian has it correct - simple error trapping to cause the script to do something else if the mapping doesn't take.

I don't have a VBS example, but here is one used in a conventional batch file:

net use U: \\fileserver\%username%$
if errorlevel 1 goto logoff
goto continue
:logoff
net send localhost "You are logged in elsewhere. Please log off a the other terminal before trying again."
logoff
:continue
setx homedrive "U:"
setx homepath "\"
(rest of the script)

(Source: http://www.amset.info/windows/limit-logins.asp)

Simon.
0
 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
Personally I think that, whilst my original answer worked, Sembee's was generally cleaner, and didn't require extra software above a standard install and therefore he's got to get more points than me if they are split.

Cheers
Julian
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now