AD User Login

[immorall]

I was wondering if there was a way to limit a user to be able to log into the domain on a machine one a time. In other words, a user couldnt be logged into one machine and then go log into another machine, thus being logged into the domain twice

[jondercik]

no

[Mr Snrub]

I don't believe AD supports it, and with good reason:

Novell's Directory Service supports that, and it causes a huge amount of problems - if a client machine hangs, or the user logoff event does not occur correctly, or if a machine is hibernated... how does the DS as a whole know that the user should be able to logon elsewhere?

What happens if you have a replication problem between your authentication servers, so one thinks a user is logged on, where another does not?

Unlocking user accounts is something that you have to do a lot with NDS because of this.

Edit:

So I was right and wrong

AD doesn't natively support it, you have to extend the schema and use a bolt-on product on IIS.

I still don't like the concept of it though, it's too flawed (easy to bypass, easy to break, possibly without even being aware).

Edited April 5, 2006 by Mr Snrub

[Zartach]

I have not heared of a feature like this in AD either, but you can look at confining the user to a specific machine. You can specify on wich machines a user can log on to the AD. If you specify only one it basicly does what you want except the user will always have to use the same PC to log in.

Hope it helps,

[cluberti]

You guys don't look too hard :

http://www.microsoft.com/technet/technetma...ht/default.aspx

[Zartach]

Sweet piece of code that, i must have missed that cause i honestly had not heard of it been done with AD.

Nice find ;-)

Edited April 5, 2006 by Zartach

[cluberti]

Eh, I've got unfair advantages.

[ceez]

at work we use a software called "userlock" and currently have it to allow only 2 logins. Pretty simple to use.

In regards to the limitlogin our IT Director used to use it but says that it wasnt all the reliable. go figure!

[cluberti]

I can vouch that if it's set up correctly (meaning everything in AD is working PROPERLY! ), limitlogon works just fine.

[InTheWayBoy]

I was playing with an desktop management application (Desktop Authority), and it looks like it used mapped drive checking to accomplish this. I guess it would check with the server for open sessions to certain shares, and then if it found one it would log off the other logins. Or something like that...just an idea if you are wanting to do it all using scripts.

[amfony]

hello ladies and gentlemen,

I wrote a vbscript version of a pre-concieved cmd script to do just this. This design is based on great logic and i have a much more customised one for my work situation.

My work is currently hosted at computerperformance.co.uk. Ill try and get a link.