Limiting simultaneous terminal server logons to prod/non prod

Posted on 2012-08-30
Last Modified: 2012-09-05
We have 6 production terminal servers that load balance, and several non-prod systems for testing/development/etc.  All are server 2008 R2 standard.  Due to the way our primary line of business app works, if you are logged into a prod and non prod system at the same time, data can be lost or written to the wrong database.  This is obviously not good.

Is there a way to allow a user to log into any of these servers (prod, non prod), but not at the same time?
Question by:IntercareSupport
    LVL 6

    Assisted Solution

    There is no way within Windows to do a conditional login that checks sessions on other servers.  The only way you will be able to do something like this is with custom development.  There are scripts that can be written to do it, but the problem is, without administrator rights on the other terminal boxes, the user won't be able to successfully run the script unless you store administrator credentials within the script itself (a security issue, of course) this becomes a rather difficult task to accomplish.

    To get you started, this code will retrieve a session list.

    Set objWMIService = _ 
        GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & _ 
        strComputer & "\root\cimv2")  
    Set colComputer = _ 
        objWMIService.ExecQuery("Select * from Win32_LogonSession Where LogonType = 10")

    Open in new window

    LVL 6

    Assisted Solution

    by:Kiran Ch
    Pls give each users two different accounts - one for prod and one for non prod.
    If the systems are in domain it will be difficult to have a control like that.
    LVL 6

    Assisted Solution

    chikran248 has an interesting suggestion.  If we elaborate on this a bit, you could create two accounts for the users, as he/she suggests, and use the "Allow logon through terminal services" and "Deny log on through terminal services" rights in Group Policy to set which servers each account can log into.
    LVL 4

    Accepted Solution

    UserLock ScreenshotThe solution to your issue is a software called UserLock.

    UserLock will (among other access security features) limit or prevent concurrent logins to your Terminal Servers, based on user, user groups, or Organizational Units.

    Detailed info and free, fully-functional trial:

    Author Closing Comment

    All good ideas.  THanks.

    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    Several part series to implement Internet Explorer 11 Enterprise Mode
    A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
    This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now