How can I limit the number of allowed concurrent sessions per user in an Active Directory (AD) domain?
October 2, 2005
A. Microsoft has released the LimitLogin tool, which you can download from http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exe. The tool stores logged-on information in a custom AD partition (dc=limitlogin, dc=, dc=; e.g., dc=limitlogin,dc=savilltech,dc=com) via a Microsoft IIS 6.0 (Windows Server 2003) hosted Web service, a client component, and a logon and logoff script.
After you download the file, extract the setup files to a folder you specify. The full configuration requires a change to the AD forest schema to allow extra detail about the logon status to be stored, and because an AD application partition is being created, the system must have at least one Windows 2003 domain controller (DC). To install LimitLogin, perform these steps:
Use the Add/Remove Programs Control Panel applet to install IIS and ASP.NET on the server that will act as the LimitLogin Web service host (Add/Remove Programs - Windows Components - Application Server).
Enable ASP.NET as an extension via the Internet Information Services (IIS) Manager in the Web Service Extensions navigation pane. Ensure that the ASP.NET extension is shown as Allowed in the detail pane, as the figure shows.
Execute the LimiLoginIISSetup.msi from the extraction folder to begin setup of the Web service portion of limitlogin. (You must be logged on as an Administrator.) Click Next to the welcome dialog box.
You'll be prompted to enter a virtual directory name that the Web service will use and the port (you can usually leave the default settings for these) and click Next.
Click Next, then click Close to complete the Web portion of the setup. If you look at IIS Manager, you'll see a new WSLimitLogin directory under the Default Web Site.
To prepare AD, execute the LimitLoginADSetup.msi file and click Next at the introduction screen.
Click "I Agree" to the license agreement and click Next.
Select the installation folder (the default is C:program fileslimitlogin), and click Next.
The AD setup will prompt you to prepare the forest and domain and install the MMC LimitLogin snap-in, as the figure shows. Click Next. (You must be logged in as a Schema Admin at this point and have the Schema Master FSMO available.
The installation will prompt you to ensure that you have sufficient permissions to write to the schema. Click OK.
You'll see a dialog box that shows that the changes completed successfully for the forest portion (the schema change) of the setup. Click OK.
Specify the name of the IIS server and a folder in which the scripts can be stored, as the figure shows. You must have already created the share (it can be hidden), and make sure authenticated users have read access to the share. Click Next.
Select the DC (must be Windows 2003) that will host the application partition for LimitLogin, as the figure shows. Click Next.
You can now enter credentials used to create the partition or clear the "Use the following credentials" check box if your logged on user has sufficient credentials. Click Create.
Click OK to the successful creation message.
You now need to manually copy the LimitLogin.wsdl, llogin.vbs and llogoff.vbs from the C:program fileslimitloginscripts folder to the share you specified in step 12. In the Final Steps message box, select the "I've read the instructions and will perform these steps manually" checkbox, as the figure shows. Click Next.
Click Close.
You now need to deploy the LimitLogonClientSetup.msi to the machines in your environment via a logon script, Group Policy, or Microsoft Systems Management Server (SMS) because this installation file contains the client-side piece that communicates with the IIS-based Web service.
You also need to configure Group Policy to execute the llogin.vbs and llogoff.vbs scripts. You can do this at domain level by performing these steps:
Create a new Group Policy Object (GPO) called "LimitLogon" and link it at a domain level, as the figure shows. (Open the Active Directory Users and Computers MMC snap-in, right-click the domain level, and select Properties. Select the Group Policy tab and click New. Enter a name of LimitLogon.)
Click Edit on the Policy tab to open Group Pociy Editor (GPE).
Navigate to the User Configuration - Windows Settings - Scripts (Logon/Logoff) branch.
Double-click Logon in the right pane and click Add.
Enter the script name and location from the share ( e.g., \savdaldc01limitlogon$llogin.vbs) and click OK.
Double-click Logoff in the right pane and click Add.
Enter the script name and location from the share (e.g., \savdaldc01limitlogon$llogoff.vbs) and click OK.
Close GPE.
This process creates in the C:program fileslimitlogin folder the LimitLoginMMCSetup.exe utility, which, when run, integrates LimitLogin directly into the AD Users and Computers snap-in, providing a new LimitLogin Tasks context-menu option. This option opens the LimitLogon configuration for the user, which displays the current sessions, as the figure shows. (You'll need LimitLogin installed on each machine that runs Active Directory Users and Computers. To do so, execute the LimitLoginADSetup.msi file and during the setup options, select the "Install LimitLogin Active Directory MMC snap-in integration tools on this machine" option).
Click Configure to set the number of logons allowed, as the figure shows.
LimitLogin also provides a script--Bulk_LimitUserLogins.vbs--that lets you define quotas for all users in the domain. If you want to use this tool simply to see logged-on sessions, give users a high quota limit (without quotas enabled no user-session tracking occurs) that they'll never reach.
Any attempt to log on more than the allowed number of sessions will result in the user being logged off and an event ID 8811written to the Application event log of the LimitLogon server, as the figure shows.
Read the Help file that accompanies the LimitLogin tool. It has a lot of details about using the tool. Also be aware that some antivirus and antispyware packages might try to block the scripts from running so you need to configure the programs to allow the scripts to run.
About the Author
You May Also Like