• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 643
  • Last Modified:

Limiting simultaneous terminal server logons to prod/non prod

We have 6 production terminal servers that load balance, and several non-prod systems for testing/development/etc.  All are server 2008 R2 standard.  Due to the way our primary line of business app works, if you are logged into a prod and non prod system at the same time, data can be lost or written to the wrong database.  This is obviously not good.

Is there a way to allow a user to log into any of these servers (prod, non prod), but not at the same time?
4 Solutions
There is no way within Windows to do a conditional login that checks sessions on other servers.  The only way you will be able to do something like this is with custom development.  There are scripts that can be written to do it, but the problem is, without administrator rights on the other terminal boxes, the user won't be able to successfully run the script unless you store administrator credentials within the script itself (a security issue, of course).....so this becomes a rather difficult task to accomplish.

To get you started, this code will retrieve a session list.

Set objWMIService = _ 
    GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & _ 
    strComputer & "\root\cimv2")  
Set colComputer = _ 
    objWMIService.ExecQuery("Select * from Win32_LogonSession Where LogonType = 10")

Open in new window

Kiran ChCommented:
Pls give each users two different accounts - one for prod and one for non prod.
If the systems are in domain it will be difficult to have a control like that.
chikran248 has an interesting suggestion.  If we elaborate on this a bit, you could create two accounts for the users, as he/she suggests, and use the "Allow logon through terminal services" and "Deny log on through terminal services" rights in Group Policy to set which servers each account can log into.
UserLock ScreenshotThe solution to your issue is a software called UserLock.

UserLock will (among other access security features) limit or prevent concurrent logins to your Terminal Servers, based on user, user groups, or Organizational Units.

Detailed info and free, fully-functional trial:
IntercareSupportAuthor Commented:
All good ideas.  THanks.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now