Considering this fact, each day we face new problems and requirements which we need to deal with. During these years there have been so many requests from System Administrators or specialist to have a feature in Active Directory which allows administrators to select a user to login only once in a time and prevent multiple logins from a user account in Active Directory.
There were quite some solutions in order to address this issue like Limit Login back in Windows 2003, but since today we are no longer dealing with Windows Server 2003 but Windows Server 2012 R2 or 2016, old methods are no longer practical.
This guide, can be used by administrators who are willing to limit logon activity of user accounts and force them to have a single logon to a workstation at a time.
In order to fully understand this solution, it is necessary to comprehend the concepts under the hood and know that how each element is used to reach the goal. So far, the need is clear: We want each user to logon, at one single workstation only and not more
To do this, let’s explain how it works using a series of images.
↑ Back to top
In every implementation, you will have to prepare the environments like installing SQL server, preparing the Active Directory. Hopefully so far, you may have understood that in order to implement this solution, it is required to have certain number of requirements.
First of all, it is necessary to download the scripts required in this guide using this link. Once you have downloaded the script unzip the files and you will see 4 sub folders inside it.
Each one of these elements are required in order to run this solution. We will cover them in their section later on.
This file server will be the repository for our flag files. However, keep in mind that, it is possible to use the DC itself instead of a separate file server, but since the ‘CleanUp’ process will run every second as a scheduled task, it is better to not involve your domain controllers because it can cause some performance lags depending on the size of your environment.
Implementing this solution will be done in several steps:
We will explain each step in detailed steps.
This step will cover the GPO part of this solution. If you remember, we talked about creating a flag time for the first time the user gets authenticated. The best way to implement the creation of this flag file is through a group policy.
This GPO will configure a logon script and using this script, each time the user logs on, it creates the flag file in user’s folder in file server. Before using the script you need to customize it for your environment. You need to change some part of the script to apply in your environment. The red parts in the scripts should be changed:
As you can see there are 3 parts in this script which needs to be changed. Commit the changes as below:
After applying the required changes, follow the steps below to create the GPO:
This is the step where you actually create folders for each user. This folder will be used to hold flag file for each user. Since we want to use the path in a logon script later and we want to make sure that each user can touch its own flag file, we will name these folder to user ‘samaccountname’.
The only problem is that there might be users who are added to Active Directory every hour and we do not want to spend time on creating user folders. As a result, this script will search the path for missing user folders and will create them immediately.
Since we will need to edit this script to make it applicable in our environment, make sure that the paths below are correctly set:
Now we can move to the next part of scheduling user folder creation.
During our solution, we understood that we can utilize a simple txt file in order to limit the number of logins a user can have and so far we have talked about how this process will happen. As you may guess, during the time we need to make sure there are no Phantom text files in a user folder because if there are the user will not be able to login because of a text file which points to no one.
In order to fix that, we need to delete text file for each user in a short scheduled time. What we will do is to create a task which deletes all the next files in a folder for every single user account. You may ask, if we delete the text files, how the logon script will work in absence of these files? The answer is simple! The logon script actually overwrite text file every 10 seconds. Let’s make this clear with an example:
After all the explanation, we need to create our cleanup process. But before that, do not forget to change the script just like the previous steps:
Now go ahead and apply the rest of the configuration.
Ok now everything is in place to test the result. All you have to do is to login using a single user account from two different workstations. If you have configured everything correctly, The second PC will be logged off automatically after popping up a message to inform the user that multiple sessions has been triggered.
As we have already mentioned, the feature of blocking concurrent connections in Active Directory, has been requested for quite long time, but since there is no built-in feature to overcome this problem, in this article we talked about a solution in order to achieve this goal.