none
Limit login 2008 Active Directory

    Question

  •  Hello everyone

    I Work in a Company that are study and deploy a lab for migrate from 2003 to 2008.
    One of the feature that we use is limit login in 2003 active directory, I´m looking for this feature in 2008 active directory.

    anybody of yours may help me with this problem?

    I appreciate the support of all yours.

    Thursday, October 23, 2008 11:30 PM

Answers

All replies

  •  

    Hi,

     

    Could you please explain more detailed about limit login? If you want to track all logon information in Active Directory domains, As far as I know, LimitLogin tool can help us achieve this. However, I am not sure if it supports windows server 2008 and you can refer to the following article to find more information:

     

    Limit Login

    http://technet.microsoft.com/en-us/magazine/cc160794.aspx

    Friday, October 24, 2008 7:43 AM
    Moderator
  • The related article is not updated since 2005. How are things in 2009? Does AD 2008 still support de LimitLogon tooling? Has anyone tested this?
    Thursday, June 25, 2009 2:49 PM
  • Windows Server 2008 and Windows Server 2008 R2 do not support LimitLogin.

    You should give a look to UserLock, a 3rd-party software solutions that allows IT security teams to:
    - prevent or limit simultaneous logon (same ID, same password), per user or user group
    - record all session logging and locking events in an ODBC database (Access, SQL Server, Oracle, MySQL,…) for future reference
    - monitor user sessions in realtime (who is connected, from which workstation(s), for how long…)
    - remotely lock, logoff and reset all interactive sessions
    - define working hours and/or maximum session time for protected users and disconnect users with prior warning outside of the defined timeframe(s) and/or when time is up
    - restrict user group’s network access per workstation or IP range
    - notify all users prior to gaining access to a system with a tailor-made warning message (legal disclaimer, etc.)
    - …

    and is fully compatible with all Windows Server versions (from 2000 to 2008 R2) and all Windows client versions (from 2000 to Seven).


    François Amigorena President & CEO IS Decisions (Security Software) http://www.isdecisions.com
    Thursday, June 24, 2010 7:55 AM
  • I know you can use it with 2008 machines on a 2003 AD domain:

    http://davidhazar.blogspot.com/2010/09/microsoft-limit-login-and-login-scripts.html

    However, I have not tested installing the product on a 2008 AD domain.

    Thursday, October 21, 2010 10:55 PM
  • UserLock is not a good tool. It does integrate with active directory but doesn't replicate with active directory in real time. For example if u limit a user to only 1 session, but when user machine shutdown unexpectedly, he can't login to machine. Because the session is still active in User Lock.

    Also it's console is not much like Active Directory.

    I do not recommend UserLock in a corporate environment.

    Thursday, May 5, 2011 5:01 AM
  • Hello,

    are you aware that this thread is from 2008?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, May 5, 2011 8:56 AM
  • Dear Anees,

    I am afraid you have been badly misinformed about UserLock.

    1) If a given user is limited to only one session and his computer unexpectedly shuts down, his session will NOT be active any longer in UserLock as soon as his computer will have been restarted.
    This feature is automated and has been part of UserLock since version 4.0, back in 2008 …

    Besides, UserLock allows you to remotely and instantly reset, lock or logoff any session, either from the administration console or the Web interface.

     

    2) UserLock's Graphical User Interface is  as close to the Active Directory GUI-standard as possible (check UserLock's screenshots here) and you can even display the AD tree as a dockable window inside UserLock's interface …

    Additionally, UserLock's restrictions can be set up in a very granular way, per user, user group(s) and Organizational Unit(s).


    3) When it comes to "corporate environments", more than one million UserLock licenses are in use worldwide by hundreds of organizations including:
    US Department of Justice, Barclays, Banco Santander, Lockheed Martin, US Drug Enforcement Administration, United Nations, BAE Systems, National Bank of Kuwait, US Bureau of Alcohol, Tobacco and Firearms, BlueCross BlueShield, Banco de Costa Rica, …

    Furthermore, UserLock has been awarded "Best of the Year 2010" by PC Mag and PC Mag's review bottom line states "it's an impressive product" …


    I hope this will help you to reconsider you position on UserLock. I am at your disposal to provide you with any further information you might require.

    Best,


    François Amigorena President & CEO IS Decisions (Security Software) http://www.isdecisions.com
    Thursday, May 5, 2011 10:25 AM
  • HI Lucas,

     

    You can use limitlogon to limit concurrent logons in a domain

    http://msmvps.com/blogs/javier/archive/2005/03/14/38557.aspx


    Kamal Sharma
    Wednesday, July 20, 2011 5:17 AM
  • Any news with LimiLogon feature ??

    ----- Lukas -----

    Thursday, October 11, 2012 11:27 AM
  • No news Lukas ...

    Windows Server 2012 does not offer a feature to limit/prevent concurrent logins and does not support LimitLogin either ...

    UserLock remains the only reliable option if you're serious about implementing and strictly enforcing a granular User Access Control Policy for your Windows network.

    You can download a free, fully-functional UserLock trial from IS Decisions website.

    Prevent or limit concurrent logins with UserLock


    François Amigorena | President & CEO | IS Decisions | www.ISDecisions.com

    Thursday, October 11, 2012 12:52 PM
  • No news Lukas ...

    Windows Server 2012 does not offer a feature to limit/prevent concurrent logins and does not support LimitLogin either ...

    UserLock remains the only reliable option if you're serious about implementing and strictly enforcing a granular User Access Control Policy for your Windows network.

    You can download a free, fully-functional UserLock trial from IS Decisions website.

    Prevent or limit concurrent logins with UserLock


    François Amigorena | President & CEO | IS Decisions | www.ISDecisions.com

    Mr. Amigorena:

    I am having difficulty in accepting the statement that Microsoft does not support a feature that is a requirement out of NIST Special Publication 800-53 rev. 4. The Concurrent Session Control - [AC-10] - with a HIGH Security Categorization Level requires the following: "Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination."

    If you could provide a statement or reference from Microsoft on their refusal to support this in Windows Server version 2008 and higher, it would provide credibility to your statement and likely sell more licenses. 

    Respectfully submitted,

    Michael Barbere



    • Edited by MidwestTech Thursday, September 19, 2013 3:36 PM Punctuation
    Thursday, September 19, 2013 3:32 PM
  • No news Lukas ...

    Windows Server 2012 does not offer a feature to limit/prevent concurrent logins and does not support LimitLogin either ...

    UserLock remains the only reliable option if you're serious about implementing and strictly enforcing a granular User Access Control Policy for your Windows network.

    You can download a free, fully-functional UserLock trial from IS Decisions website.

    Prevent or limit concurrent logins with UserLock


    François Amigorena | President & CEO | IS Decisions | www.ISDecisions.com

    Mr. Amigorena:

    I am having difficulty in accepting the statement that Microsoft does not support a feature that is a requirement out of NIST Special Publication 800-53 rev. 4. The Concurrent Session Control - [AC-10] - with a HIGH Security Categorization Level requires the following: "Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination."

    If you could provide a statement or reference from Microsoft on their refusal to support this in Windows Server version 2008 and higher, it would provide credibility to your statement and likely sell more licenses. 

    Respectfully submitted,

    Michael Barbere



    Mr. Amigorena:

    I have the same concerns as we are now having to find and implement the same type of solution due to the new regulations as part of the newly updated CJIS (Criminal Justice Information Standards) requirements.  These new requirements will affect every US law enforcement entity nationally.  So really we are talking about over a million systems easily.  It really seems to me this should be a feature in Active Directory or GPO setting that can be applied.  I’m surprised this has happened already.

    Respectfully,

    David Vaughn

    Wednesday, November 6, 2013 10:26 PM
  • Is anyone from Microsoft even willing to speak on this?
    Thursday, December 12, 2013 11:36 AM

  • Mr. Amigorena:

    I am having difficulty in accepting the statement that Microsoft does not support a feature that is a requirement out of NIST Special Publication 800-53 rev. 4. The Concurrent Session Control - [AC-10] - with a HIGH Security Categorization Level requires the following: "Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination."

    If you could provide a statement or reference from Microsoft on their refusal to support this in Windows Server version 2008 and higher, it would provide credibility to your statement and likely sell more licenses. 

    Respectfully submitted,

    Michael Barbere



    Dear Michael,

    Please forgive this very late reply.

    I have tried my best, but did not find any official statement from Microsoft, apart from multiple replies from Microsoft employees on various forums and technical communities only mentioning LimitLogin (which is not compatible with Windows Server 2008, 2008 R2, 2012 and 2012 R2).

    As you can imagine, IS Decisions' R&D team thoroughly tests every Windows Server new version, looking for this feature, and I am 100% affirmative: there is no native feature in Windows/Active Directory that can limit the number of concurrent logins.

    To back up my claim, I can mention a couple of US law enforcement organizations using UserLock:
    the FBI, the DEA, the US DoJ, the BATF ...

    Please feel free to watch this UserLock video presentation and to download a free, fully-functional trial.

    Best,
    François


    François Amigorena | President & CEO | IS Decisions | www.ISDecisions.com

    Saturday, February 1, 2014 10:01 AM