Active Directory: Limit concurrent user logins

  • 185 Views
  • Last Post 08 May 2017
Mahdi posted this 06 May 2017

Greetings guys!

As you know, one of the limitations in AD is the lack of feature in order to prevent someone’s concurrent connections. It means, a user can have hundreds of logins to hundreds of computers and there is no feature to block it.

Recently, I was thinking about these type of limitations and I tried to overcome this problem. So I wrote a new version of “LimitLogin” which works on all sort of Windows platforms as long as you have PowerShell installed. This package will help you to limit concurrent user logins and force them to have a single session at a time.

The scripts has been uploaded to TechNet Gallery and so far this solution has worked for me on two environments. I would like you guys to test this solution and see if it is applicable in your environment. I have also provided a guide in order to make things much simpler for you. You can find the guide and scripts here:


Feel free to tell me about the problems and suggestions, so I can improve it. :)

Regards.
Mahdi

Order By: Standard | Newest | Votes
Icolan posted this 07 May 2017

In your requirements you mention preparing the environment "like installing SQL server" but you have not actual SQL server, you should probably only talk about requirements your solution has so as to not confuse people.
Why create sub-folders for every user, why not simply name the file based on the user's samAccountName?  No folders to delete or create when users are hired or when they leave, no scheduled task running regularly to create an empty folder.
In a large environment, creating flag files every time a user logs on and every 10 seconds after, and running a process to delete those files every second could create overwhelm the file server.  SQL server may be a better approach for large environments.


show

g4ugm posted this 07 May 2017

Am I right in thinking the logon script runs continually in the background creating files, while the service on the DC continually deletes them? What happens in the server or share is off line or unreachable? Why do you distribute as a RAR file which needs extra tools to extract? Can you logon with cached credentials (i.e. pull the plug out the network interface?). Dave     

show

Mahdi posted this 08 May 2017

Thanks for the tips! will consider them all gladly for the new version!

@Icolan you mention really good points, so I can keep working on it to improve it. Thanks!

  • You are right about the folder part, it is good to place all text files in one folder instead of separate folders, but I thought maybe later, I add more features or create other methods to control many other things which need separated folders, so I approched using this methods. What you say is totally right, but I wanted to be flexible in future if I wanted to expand this folders for other uses.
  • SQL sounds a better approach, yes, and actually I am working with SQL with my other solutions, but haven't figured out how can I relate SQL with this one. But for the meantime I guess there should not be a problem for mid size environment. The performance issue which you mention is a good point, but having a file server for such users which deletes the text files in less than a minute, should not be really heavy for todays servers, is it?

@g4ugm: 

  • That RAR part! Sorry! I totally forget! I will repost it with ZIP file.. My bad! :(
  • You are right! The logon script will run indefinetly until user logs off while the 'CleanUp' script on File Server will continually delets them. (No DC involved). Well if that server goes offline or unreachable, logon script won't be able to create flag files. It acts just like any other server: when a DC goes offline or Exchange or any other services, some part of the work will miss.
  • Have not tested the cached credentials, but that is one I will work on.

Actually I tried to create a semi-heartbeat like solution in which the logonscript act as the HeartBeat sender and file server act as HeartBeat receaiver. 

Thanks for the tips! :)

P.S: ATM Working on agent type solution.

 

Close