none
Group Policy limit students to 1 login instance at a time.

    Question

  • Is there a policy that restricts users to one login instance at a time?  I want students to only be able to login to one machine.  I am trying to prevent them from logging into 6 machines at a time when their friends do not have an account.
    Monday, September 05, 2011 3:55 PM

Answers

  • Hi,

     

    There is no build-in feature to limit number of logins of users from many machines in Active Directory Domain. The tool LimitLogin stores logged-on information in a custom AD partition via a Microsoft IIS hosted Web service, a client component, and a logon and logoff script. To run the tool, IIS must be installed along with ASP.NET. Meanwhile, LimitLogin officially supports Windows 2000 Professional Service Pack 4 and later, Windows 2000 Server Service Pack 4 and later, Windows XP Professional Service Pack 1 and later, and Windows Server 2003. I have heard from others, LimitLogin can be run on Windows Server 2008, but errors may appear.

     

    There is also ways to only allow users to log onto certain machines which can help limit where they can log onto as a workaround. For example:

     

    1. Go to AD Users and Computers, find the user who you want to restrict, right click and choose Properties, click the Account tab, choose “Log On To”. Select “This user can log on to:” “The following computers”, then add the computers as you want.

     

    2. Use group policy to restrict some domain users to log on certain computers

     

    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    Deny logon locally

     

    Thanks.

    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, September 08, 2011 8:18 AM

All replies

  • Hi,

    There used to be a limit login program, http://technet.microsoft.com/en-gb/magazine/2005.05.utilityspotlight.aspx we were using Novell at the so I didn't need try it out. Unfortuantly this isn't a feature that comes with the OS so you might have to hunt down a third party app :o(

    J

     

     

    Monday, September 05, 2011 4:07 PM
  •  Hi,

    You can also achieve that by specifying Logon Workstation attribute for the user

    Open User account property

    Go to Accounts Tab

    Click on LogonTo button

    Specify the workstation

    Apart from that you can try Limitlogin but that requires client installation in each workstation and would require thorough testing

    Monday, September 05, 2011 5:04 PM
  • Hello,

    limit logon will only work on Windows server 2003 NOT on higher OS version. You can also use one of Richard Mueller's great scripts:

    http://www.rlmueller.net/Logon7.htm


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, September 06, 2011 6:07 AM
  • Hi,

     

    There is no build-in feature to limit number of logins of users from many machines in Active Directory Domain. The tool LimitLogin stores logged-on information in a custom AD partition via a Microsoft IIS hosted Web service, a client component, and a logon and logoff script. To run the tool, IIS must be installed along with ASP.NET. Meanwhile, LimitLogin officially supports Windows 2000 Professional Service Pack 4 and later, Windows 2000 Server Service Pack 4 and later, Windows XP Professional Service Pack 1 and later, and Windows Server 2003. I have heard from others, LimitLogin can be run on Windows Server 2008, but errors may appear.

     

    There is also ways to only allow users to log onto certain machines which can help limit where they can log onto as a workaround. For example:

     

    1. Go to AD Users and Computers, find the user who you want to restrict, right click and choose Properties, click the Account tab, choose “Log On To”. Select “This user can log on to:” “The following computers”, then add the computers as you want.

     

    2. Use group policy to restrict some domain users to log on certain computers

     

    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    Deny logon locally

     

    Thanks.

    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, September 08, 2011 8:18 AM
  • I confirm that LimitLogin is not compatible with Windows Server 2008 and Windows Server 2008 R2.

     

    You should give a look to UserLock (fully compatible with Windows Server 2008, including R2 and Windows 7), that allows IT security teams to:
    - prevent or limit simultaneous logon (same ID, same password), per user, user group or Organizational Unit
    - record all session logging and locking events in an ODBC database (Access, SQL Server, Oracle, MySQL,…) for future reference
    - monitor user sessions in realtime (who is connected, from which workstation(s), for how long…)
    - remotely lock, logoff and reset all interactive sessions
    - define working hours and/or maximum session time for protected users and disconnect users with prior warning outside of the defined timeframe(s) and/or when time is up
    - restrict user group’s network access per workstation or IP range
    - notify all users prior to gaining access to a system with a tailor-made warning message (legal disclaimer, etc.)
    - …

     

    As you work in an academic institution, you might want to read this whitepaper titled "Secure and Optimize a free access Windows network" for further information.


    François Amigorena President & CEO IS Decisions (Security Software) http://www.isdecisions.com
    Wednesday, December 14, 2011 9:05 AM