Professional Documents
Culture Documents
Active Directory - Limit Concurrent User Logins - TechNet Articles - United States (English) - TechNet Wiki
Active Directory - Limit Concurrent User Logins - TechNet Articles - United States (English) - TechNet Wiki
Table of Contents
Introduction
How does it work?
Requirements
Required Scripts
File Server
Implementation
Creating a GPO for logon script
Create user folders
Cleanup process
Testing the result
Conclusion
See Also
User authentication is one of the key principals of Active Directory as a directory system. It is safe to say that when user authentication does not exist in an Active
Directory environment, then there is no need to have an Active Directory in our organization.
Considering this fact, each day we face new problems and requirements which we need to deal with. During these years there have been so many requests from
System Administrators or specialist to have a feature in Active Directory which allows administrators to select a user to login only once in a time and prevent multiple
logins from a user account in Active Directory.
There were quite some solutions in order to address this issue like Limit Login back in Windows 2003, but since today we are no longer dealing with Windows Server
2003 but Windows Server 2012 R2 or 2016, old methods are no longer practical.
This guide, can be used by administrators who are willing to limit logon activity of user accounts and force them to have a single logon to a workstation at a time.
In order to fully understand this solution, it is necessary to comprehend the concepts under the hood and know that how each element is used to reach the goal. So
far, the need is clear: We want each user to logon, at one single workstation only and not more
A user wants to logon a workstation. After he/she gets authenticated to the DC, a flag will be written at file server in a folder with a name identical to the
samaccountname of the user. The flag is a simple text file with no text inside it.
The mentioned user in previous step wants to logon to another computer. This could be a friend the original user who wants to use the user privilege or it
might be a hacker trying to logon using someone else credential. But after he gets authenticated for second time in AD, he/she get disconnected because
according to policy, multiple logons are not tolerated.
Now lets consider that the original user has finished his tasks and want to log off. In this step, the original user is logged of but the flag file has remained on file
server. Now we need to make sure that these ‘phantom’ flags are no longer exist in the folder on file server. So an internal scheduled process will be launched in
order to clear these flags and prepare the environment for next time the user needs to logon.
↑ Back to top
In every implementation, you will have to prepare the environments like installing SQL server, preparing the Active Directory. Hopefully so far, you may have
understood that in order to implement this solution, it is required to have certain number of requirements.
Required Scripts
First of all, it is necessary to download the scripts required in this guide using this link . Once you have downloaded the script unzip the files and you will see 4 sub
folders inside it.
Each one of these elements are required in order to run this solution. We will cover them in their section later on.
File Server
This file server will be the repository for our flag files. However, keep in mind that, it is possible to use the DC itself instead of a separate file server, but since the
‘CleanUp’ process will run every second as a scheduled task, it is better to not involve your domain controllers because it can cause some performance lags depending
on the size of your environment.
↑ Back to top
This GPO will configure a logon script and using this script, each time the user logs on, it creates the flag file in user’s folder in file server. Before using the script you
need to customize it for your environment. You need to change some part of the script to apply in your environment. The red parts in the scripts should be changed:
As you can see there are 3 parts in this script which needs to be changed. Commit the changes as below:
Line 1: Change \\server\Profiles to the shared destination of your file server. We will talk about it in ‘Creating user profiles’ section.
Line 2: Change \\server\Limit to an available share folder which contains the message which will be presented to users.
Line 3: This line is the same as Line 1, change \\server\Profiles as we did in Line 1.
After applying the required changes, follow the steps below to create the GPO:
Name this new GPO “LimitLogin”. Actually you can choose what ever name you like, but since we want to keep the things simple, I prefer this name.
Now, you have to copy ‘LimitLogin.ps1’ to the folder which pops up on the screen. Then close the windows.
Now you have copied the file, click on ‘Add’ button and select the ‘LimitLogin.ps1’ script and add it to the window by clicking ‘OK’.
As a final step, link the GPO you created to the OU containing the user account.
↑ Back to top
The only problem is that there might be users who are added to Active Directory every hour and we do not want to spend time on creating user folders. As a result,
this script will search the path for missing user folders and will create them immediately.
Since we will need to edit this script to make it applicable in our environment, make sure that the paths below are correctly set:
Now we can move to the next part of scheduling user folder creation.
Firstly we need to install AD PowerShell module feature on your server. So open a PowerShell console and type Install-WindowsFeature RSAT-AD-PowerShell
and hit enter.
Right after, start ‘Task Scheduler’ mmc and choose ‘Create task’ by right-clicking the main section.
On the ‘General’ tab, make sure that the ‘Run whether the user is logged on or not’ is selected.
At the ‘New Trigger’ windows, configure the task repetition to every 15 minutes, and click ‘Ok’.
At the next tab which is ‘Action’, we should add the script which does the Folder Creation. Click on ‘New’ and add the script.
And for the final part, at ‘Settings’ tab, configure the task to get stopped if it was running for more than an hour.
↑ Back to top
Cleanup process
During our solution, we understood that we can utilize a simple txt file in order to limit the number of logins a user can have and so far we have talked about how this
process will happen. As you may guess, during the time we need to make sure there are no Phantom text files in a user folder because if there are the user will not be
able to login because of a text file which points to no one.
In order to fix that, we need to delete text file for each user in a short scheduled time. What we will do is to create a task which deletes all the next files in a folder for
every single user account. You may ask, if we delete the text files, how the logon script will work in absence of these files? The answer is simple! The logon script
actually overwrite text file every 10 seconds. Let’s make this clear with an example:
After all the explanation, we need to create our cleanup process. But before that, do not forget to change the script just like the previous steps:
Name the task what ever you like but make sure that the below settings are configured properly.
At the triggers tab, click ‘New’ and follow the next image for configuration.
And for the ‘Action tab, add the script which is needed for clean up process according to the images.
For the final tab, leave the following check boxes empty.
↑ Back to top
Ok now everything is in place to test the result. All you have to do is to login using a single user account from two different workstations. If you have configured
everything correctly, The second PC will be logged off automatically after popping up a message to inform the user that multiple sessions has been triggered.
As we have already mentioned, the feature of blocking concurrent connections in Active Directory, has been requested for quite long time, but since there is no built-
in feature to overcome this problem, in this article we talked about a solution in order to achieve this goal.
↑ Back to top