General discussion

Locked

W2K3 - Limiting Concurrent Logins

By reinhardt ·
As you may or may not know, MS decided to leave out of Windows Server 2003, any type of control mechanism for concurrent user logins. There is no method (that we have been able to find) to prevent a user from logging in on more than one machine at a time. This is a security issue in that employees who come in on the weekend and bring their children with them can log on to another machine as well as their own and let the kiddies "play". Since all users have admin rights on workstations you can see this would be a problem. Has anyone dealt with this situation and come up with an answer? We tried using the information in KB-237282 but it didn't work. And an MCSE advised against using Cconnect.exe from Windows 2000 (KB-260364)though we're not sure why, perhaps he just didn't want to recommend an untried solution. So where does that leave us. Any tried and true solutions would be appreciated.

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by jbaker In reply to W2K3 - Limiting Concurren ...

Why do all users have admin rights on the workstation? That in and of itself is a security nono more serious than concurrent logins.

Collapse -

Try this:

by jbaker In reply to W2K3 - Limiting Concurren ...

To implement concurrent logon restrictions, follow these steps: 1. Create and share a folder on a server for each user who you want to apply log on restrictions to (if you are not using existing shares).
To do so:
a. Start Windows Explorer.
b. In the Folders list, click the folder where you want to create your new shared folder (for example, Documents and Settings).
c. On the File menu, point to New, and then click Folder. Type a name for the folder, and then press ENTER.
d. Right-click the new folder (or the folder that you want to share), and then click Sharing.
e. Click Share this folder.
f. Under User limit, click Allow. In the Users dialog box, type the number of concurrent logon sessions that you want to limit the user to.

2. Create a logon script.
a. Use a text editor to create the following batch file:

net use T: /delete
net use T: \\<Servername>\<sharename>
if exist T: goto end
if not exist T: goto logout
:logout
echo Y | logoff.exe
:end

b. Save the file with a .bat extension in the Netlogon share of the domain controller.
c. To restrict concurrent logons for specific user accounts, use this logon script or incorporate the script in an existing logon script.

Note This example uses drive T. You can substitute any drive letter for "T." Also, if you specify the user's home folder, you can use the %USERNAME% environment variable instead of the share name.

3. Copy the Logoff.exe tool from the Windows 2000 Server Resource Kit, and then copy the logon script that you just created to the domain controller's Netlogon share.
When a user tries to connect to the restricted share, the user will be automatically logged off the computer.

Collapse -

Try the Technical Q&A forum.

by deepsand In reply to W2K3 - Limiting Concurren ...

This is a tech. problem, in search of a solution.

It properly belongs in "Technical Q&A," not in "Discussions." Please re-post there.

Not only will you be more likely to attract the attention of those seeking to provide answers, but you will also make it easier for those seeking discussions to find such.

Thank you..

Collapse -

the best choice

by ugadata In reply to Try the Technical Q&A for ...

This isn't exactly limiting the concurrent logins but it is close.
You can limit the workstations a user can logon to, which can can sort of achieve the same results you want. If users are only allowed to logon to one workstation, it would in effect be the same as not allowing them concurrent logons. Obviously, if users are allowed to logon to 2 or more workstations they could be concurrently logged in to the network more than once.

The option to limit the workstations a user can log on to can be found in the Users properties under Active Directory Users and Computers. Once the Users properties dialog box is open click on the ACCOUNT tab and in the middle of the page is a button "Log On To...". Clicking on this button will open another dialog box for entering the workstations thiat user is allowed to log on to. by default it is set to All Computers.

I'm looking at a W2K3 server for this description but it is similar for a W2K server. I believe it is also available under NT 4.0 as well.

I hope this helpful to you.

Collapse -

Limiting Concurrent Logins

by pcmatt77 In reply to W2K3 - Limiting Concurren ...

http://www.ServerBoss.com

Costs a few bucks but is well supported and provides logon logon limits by user, server, domain, groups, etc.

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums