Active Directory - Limit Concurrent User Logins - TechNet Articles - United States (English) - TechNet Wiki

Active Directory: Limit concurrent user logins - TechNet Articles - Unit... https://social.technet.microsoft.com/wiki/contents/articles/37839.active-d...
Table of Contents
Introduction
How does it work?
Requirements
Required Scripts
File Server
Implementation
Creating a GPO for logon script
Create user folders
Cleanup process
Testing the result
Conclusion
See Also
User authentication is one of the key principals of Active Directory as a directory system. It is safe to say that when user authentication does not exist in an Active
Directory environment, then there is no need to have an Active Directory in our organization.
Considering this fact, each day we face new problems and requirements which we need to deal with. During these years there have been so many requests from
System Administrators or specialist to have a feature in Active Directory which allows administrators to select a user to login only once in a time and prevent multiple
logins from a user account in Active Directory.
There were quite some solutions in order to address this issue like Limit Login back in Windows 2003, but since today we are no longer dealing with Windows Server
2003 but Windows Server 2012 R2 or 2016, old methods are no longer practical.
This guide, can be used by administrators who are willing to limit logon activity of user accounts and force them to have a single logon to a workstation at a time.
In order to fully understand this solution, it is necessary to comprehend the concepts under the hood and know that how each element is used to reach the goal. So
far, the need is clear: We want each user to logon, at one single workstation only and not more
To do this, let’s explain how it works using a series of images.
A user wants to logon a workstation. After he/she gets authenticated to the DC, a flag will be written at file server in a folder with a name identical to the
samaccountname of the user. The flag is a simple text file with no text inside it.
1 van 16 27-May-19, 22:36

The mentioned user in previous step wants to logon to another computer. This could be a friend the original user who wants to use the user privilege or it
might be a hacker trying to logon using someone else credential. But after he gets authenticated for second time in AD, he/she get disconnected because
according to policy, multiple logons are not tolerated.
Now lets consider that the original user has finished his tasks and want to log off. In this step, the original user is logged of but the flag file has remained on file
server. Now we need to make sure that these ‘phantom’ flags are no longer exist in the folder on file server. So an internal scheduled process will be launched in
order to clear these flags and prepare the environment for next time the user needs to logon.
2 van 16 27-May-19, 22:36

↑ Back to top
In every implementation, you will have to prepare the environments like installing SQL server, preparing the Active Directory. Hopefully so far, you may have
understood that in order to implement this solution, it is required to have certain number of requirements.
Required Scripts
First of all, it is necessary to download the scripts required in this guide using this link . Once you have downloaded the script unzip the files and you will see 4 sub
folders inside it.
3 van 16 27-May-19, 22:36

Each one of these elements are required in order to run this solution. We will cover them in their section later on.
File Server
This file server will be the repository for our flag files. However, keep in mind that, it is possible to use the DC itself instead of a separate file server, but since the
‘CleanUp’ process will run every second as a scheduled task, it is better to not involve your domain controllers because it can cause some performance lags depending
on the size of your environment.
Implementing this solution will be done in several steps:
1. Creating a GPO for logon script

2. Create user folders
3. Cleanup process
We will explain each step in detailed steps.
↑ Back to top
Creating a GPO for logon script

This step will cover the GPO part of this solution. If you remember, we talked about creating a flag time for the first time the user gets authenticated. The best way to
implement the creation of this flag file is through a group policy.
This GPO will configure a logon script and using this script, each time the user logs on, it creates the flag file in user’s folder in file server. Before using the script you
need to customize it for your environment. You need to change some part of the script to apply in your environment. The red parts in the scripts should be changed:
As you can see there are 3 parts in this script which needs to be changed. Commit the changes as below:
Line 1: Change \\server\Profiles to the shared destination of your file server. We will talk about it in ‘Creating user profiles’ section.
Line 2: Change \\server\Limit to an available share folder which contains the message which will be presented to users.
Line 3: This line is the same as Line 1, change \\server\Profiles as we did in Line 1.
4 van 16 27-May-19, 22:36

After applying the required changes, follow the steps below to create the GPO:
Open up GPMC and create a new GPO.
Name this new GPO “LimitLogin”. Actually you can choose what ever name you like, but since we want to keep the things simple, I prefer this name.
Navigate to logon script section and double click on Logon.
Select ‘PowerShell Scripts’ tab and click on ‘Show Files’.
5 van 16 27-May-19, 22:36

Now, you have to copy ‘LimitLogin.ps1’ to the folder which pops up on the screen. Then close the windows.
Now you have copied the file, click on ‘Add’ button and select the ‘LimitLogin.ps1’ script and add it to the window by clicking ‘OK’.
6 van 16 27-May-19, 22:36

7 van 16 27-May-19, 22:36

As a final step, link the GPO you created to the OU containing the user account.
8 van 16 27-May-19, 22:36

↑ Back to top
Create user folders

This is the step where you actually create folders for each user. This folder will be used to hold flag file for each user. Since we want to use the path in a logon script
later and we want to make sure that each user can touch its own flag file, we will name these folder to user ‘samaccountname’.
The only problem is that there might be users who are added to Active Directory every hour and we do not want to spend time on creating user folders. As a result,
this script will search the path for missing user folders and will create them immediately.
Since we will need to edit this script to make it applicable in our environment, make sure that the paths below are correctly set:
Now we can move to the next part of scheduling user folder creation.
Firstly we need to install AD PowerShell module feature on your server. So open a PowerShell console and type Install-WindowsFeature RSAT-AD-PowerShell
and hit enter.
Right after, start ‘Task Scheduler’ mmc and choose ‘Create task’ by right-clicking the main section.
9 van 16 27-May-19, 22:36

On the ‘General’ tab, make sure that the ‘Run whether the user is logged on or not’ is selected.
On the ‘Triggers’ tab, click on ‘New’.
At the ‘New Trigger’ windows, configure the task repetition to every 15 minutes, and click ‘Ok’.
10 van 16 27-May-19, 22:36

At the next tab which is ‘Action’, we should add the script which does the Folder Creation. Click on ‘New’ and add the script.
11 van 16 27-May-19, 22:36

And for the final part, at ‘Settings’ tab, configure the task to get stopped if it was running for more than an hour.
↑ Back to top
Cleanup process
During our solution, we understood that we can utilize a simple txt file in order to limit the number of logins a user can have and so far we have talked about how this
process will happen. As you may guess, during the time we need to make sure there are no Phantom text files in a user folder because if there are the user will not be
able to login because of a text file which points to no one.
In order to fix that, we need to delete text file for each user in a short scheduled time. What we will do is to create a task which deletes all the next files in a folder for
every single user account. You may ask, if we delete the text files, how the logon script will work in absence of these files? The answer is simple! The logon script
actually overwrite text file every 10 seconds. Let’s make this clear with an example:
User A logs on.

A text file is created.
Clean Up script will delete all text files.
Text file for user A is again created.
The cleanup process repeats.
12 van 16 27-May-19, 22:36

Text file for user A is again created.

User A logs off.
The cleanup process will delete all text files.
Since the user has logged off, the logon script no longer applies anymore and the user folder remains empty.
After all the explanation, we need to create our cleanup process. But before that, do not forget to change the script just like the previous steps:
Now go ahead and apply the rest of the configuration.
One more time, open ‘Scheduled Tasks’ to create a new task.
Name the task what ever you like but make sure that the below settings are configured properly.
At the triggers tab, click ‘New’ and follow the next image for configuration.
13 van 16 27-May-19, 22:36

And for the ‘Action tab, add the script which is needed for clean up process according to the images.
14 van 16 27-May-19, 22:36

For the final tab, leave the following check boxes empty.
↑ Back to top
Ok now everything is in place to test the result. All you have to do is to login using a single user account from two different workstations. If you have configured
everything correctly, The second PC will be logged off automatically after popping up a message to inform the user that multiple sessions has been triggered.
15 van 16 27-May-19, 22:36

As we have already mentioned, the feature of blocking concurrent connections in Active Directory, has been requested for quite long time, but since there is no built-
in feature to overcome this problem, in this article we talked about a solution in order to achieve this goal.
Script: Limit concurrent logins in Active Directory

Limit the number of session per user to 1 using active directory in win 2K8 R2
HOW TO: Limit User Logon Time in a Domain in Windows Server 2003
Restrict Multiple logon in Active Directory Domain
Limit Concurrent Windows Logon Sessions
↑ Back to top
16 van 16 27-May-19, 22:36

Active Directory - Limit Concurrent User Logins - TechNet Articles - United States (English) - TechNet Wiki

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Active Directory - Limit Concurrent User Logins - TechNet Articles - United States (English) - TechNet Wiki

Uploaded by

Copyright:

Available Formats

Active Directory: Limit concurrent user logins - TechNet Articles - Unit... https://social.technet.microsoft.com/wiki/contents/articles/37839.active-d...

To do this, let’s explain how it works using a series of images.

1 van 16 27-May-19, 22:36

2 van 16 27-May-19, 22:36

3 van 16 27-May-19, 22:36

Implementing this solution will be done in several steps:

1. Creating a GPO for logon script

We will explain each step in detailed steps.

Creating a GPO for logon script

4 van 16 27-May-19, 22:36

Open up GPMC and create a new GPO.

Navigate to logon script section and double click on Logon.

Select ‘PowerShell Scripts’ tab and click on ‘Show Files’.

5 van 16 27-May-19, 22:36

6 van 16 27-May-19, 22:36

7 van 16 27-May-19, 22:36

8 van 16 27-May-19, 22:36

Create user folders

9 van 16 27-May-19, 22:36

On the ‘Triggers’ tab, click on ‘New’.

10 van 16 27-May-19, 22:36

11 van 16 27-May-19, 22:36

User A logs on.

12 van 16 27-May-19, 22:36

Text file for user A is again created.

Now go ahead and apply the rest of the configuration.

One more time, open ‘Scheduled Tasks’ to create a new task.

13 van 16 27-May-19, 22:36

14 van 16 27-May-19, 22:36

15 van 16 27-May-19, 22:36

Script: Limit concurrent logins in Active Directory

16 van 16 27-May-19, 22:36

You might also like