immorall Posted April 5, 2006 Posted April 5, 2006 I was wondering if there was a way to limit a user to be able to log into the domain on a machine one a time. In other words, a user couldnt be logged into one machine and then go log into another machine, thus being logged into the domain twice
Mr Snrub Posted April 5, 2006 Posted April 5, 2006 (edited) I don't believe AD supports it, and with good reason:Novell's Directory Service supports that, and it causes a huge amount of problems - if a client machine hangs, or the user logoff event does not occur correctly, or if a machine is hibernated... how does the DS as a whole know that the user should be able to logon elsewhere?What happens if you have a replication problem between your authentication servers, so one thinks a user is logged on, where another does not?Unlocking user accounts is something that you have to do a lot with NDS because of this.Edit:So I was right and wrong AD doesn't natively support it, you have to extend the schema and use a bolt-on product on IIS.I still don't like the concept of it though, it's too flawed (easy to bypass, easy to break, possibly without even being aware). Edited April 5, 2006 by Mr Snrub
Zartach Posted April 5, 2006 Posted April 5, 2006 I have not heared of a feature like this in AD either, but you can look at confining the user to a specific machine. You can specify on wich machines a user can log on to the AD. If you specify only one it basicly does what you want except the user will always have to use the same PC to log in.Hope it helps,
cluberti Posted April 5, 2006 Posted April 5, 2006 You guys don't look too hard :http://www.microsoft.com/technet/technetma...ht/default.aspx
Zartach Posted April 5, 2006 Posted April 5, 2006 (edited) Sweet piece of code that, i must have missed that cause i honestly had not heard of it been done with AD.Nice find ;-) Edited April 5, 2006 by Zartach
ceez Posted April 7, 2006 Posted April 7, 2006 at work we use a software called "userlock" and currently have it to allow only 2 logins. Pretty simple to use. In regards to the limitlogin our IT Director used to use it but says that it wasnt all the reliable. go figure!
cluberti Posted April 7, 2006 Posted April 7, 2006 I can vouch that if it's set up correctly (meaning everything in AD is working PROPERLY! ), limitlogon works just fine.
InTheWayBoy Posted April 7, 2006 Posted April 7, 2006 I was playing with an desktop management application (Desktop Authority), and it looks like it used mapped drive checking to accomplish this. I guess it would check with the server for open sessions to certain shares, and then if it found one it would log off the other logins. Or something like that...just an idea if you are wanting to do it all using scripts.
amfony Posted April 8, 2006 Posted April 8, 2006 hello ladies and gentlemen,I wrote a vbscript version of a pre-concieved cmd script to do just this. This design is based on great logic and i have a much more customised one for my work situation.My work is currently hosted at computerperformance.co.uk. Ill try and get a link.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now