Subscribe to Windows IT Pro

 

Get Newsletters

  • Get the Latest News
  • Product Updates
  • Helpful Tricks
  • Productivity Tips

Subscribe Now!

July 26, 2005 12:00 AM

Prevent Multiple Logons With GPOs

Readers
Windows IT Pro
InstantDoc ID #46952
Rating: (5)
Downloads
46952.zip

As a Microsoft Certified Trainer (MCT), I'm frequently asked about providing a solution that prevents a user from logging on to multiple PCs at the same time. There's a Microsoft solution to prevent multiple logons, but it's complicated. I found a simpler solution that uses logon and logoff scripts in Group Policy Objects (GPOs). Because GPOs can't be applied to Windows 9x or Windows NT, my solution works with only newer OSs (i.e., Windows Server 2003, Windows XP, and Windows 2000).

There are three steps in my solution:

  1. Create and share a folder on the domain controller (DC). For this example, I created a folder named Logons on a DC named Rafetpc. The share name should be the same as the folder name (in this case, Logons). The share permission must be Everyone, Change because users will write and delete files on the DC.
  2. Download and customize Login.bat, which Listing 1 shows, and Logout.bat, which Listing 2 shows. You can download these scripts from the Windows IT Pro Web site. Go to http://www.windowsitpro.com, enter 46952 in the InstantDoc ID text box, then click the 46952.zip hotlink. To customize these scripts, replace each instance of \\rafetpc\logons\ in the code at callout A in Listing 1 and at callout A in Listing 2 with an appropriate path.
  3. In the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, go to the organizational unit (OU) that contains those users for whom you don't want to allow multiple logons. Create a GPO for this OU. In this GPO, navigate to User Configuration, Windows Settings, Scripts (Logon/Logoff). In the details pane, double-click Logon. Click Add in the Logon Properties dialog box, then click Browse in the Add a Script dialog box. Select the Login.bat file and click OK. Repeat the process for the logoff script by double-clicking Logoff in the details pane, clicking Add, Browse, selecting the Logout.bat file, and clicking OK. That's all.

After performing these steps, whenever a user in the specified OU logs on, Login.bat will create two files in the folder on the DC. When the same user attempts to log on from another PC at the same time, Login.bat will check for the existence of these files. If the files are present, Login.bat will immediately log the user off from the second PC. When a user in the specified OU logs off from a PC, Logout.bat will delete the two files created by Login.bat so that the user can then log on to another machine.

—Murat Yildirimoglu
murat@muratyildirimoglu.com

Editor's Note:
Long-time reader and contributor Murat Yildirimoglu pointed out that the scripts used in the June 2007 article, "It's 10:00 P.M.: Do You Know Who's Logged On?", are similar to the scripts Murat published in this Reader to Reader.

Related Content:

ARTICLE TOOLS


Want to use this article? Click here for options!

Comments
Add A Comment
  • JM2C
    2 years ago
    Sep 23, 2010

    Logon scripts-based solutions like the one described in this article present too many drawbacks and weaknesses to suit large IT infrastructures' security requirements:
     
    - if a workstation is not connected to the network, scripts cannot run and sessions history is therefore lost
    - a logon script runs as a user, and an ill-disposed user can therefore kill the script
    - if an untimely reboot occurs, sessions are not suppressed from the database
    - ...

    More, there's an app for that: UserLock (http://www.UserLock.com).

  • Zubair
    2 years ago
    Jan 25, 2010

    I just read this article and i will try this and leave my comment future if need more changes in logout.bat file.

  • Richard
    6 years ago
    Mar 29, 2006

    I just put this GPO in place on my test OU and it's working great! The addition I'd like to make would be a message box coming up before logout saying something like "You are already logged in on one PC. Simultaneous Logins are Denied" or something equally witty.

    If someone knows how to add that to the LOGOUT.BAT file I'd appreciate a Heads-Up!

  • Tim
    7 years ago
    Sep 04, 2005

    Yeah I thought of the same thing. I think that if you put in an IF statement to check for the existance of the computer file first then delete the user file if found you can probably resolve this issue. Logically if the computer file exists then either the computer rebooted but didn't execute the logoff script or crashed. Since the user is logging on to the same computer we're really not looking to prevent them from logging on. I think adding the following line before the first IF line in the login.bat file would fix the problem.

    If Exist \\\\%server%\\logons\\%computername%.txt Del \\\\%server%\\logons\\%username%.txt

    This way if the computer file already exists for some reason (ie - crash), then the login will delete the username file which is the condition we're looking for. If the user is logging on to the same computer we want to allow it anyways. The following echo statements in the batch file will then re-create the username file and overwrite the computer file (since we're using a single ">").

    I haven't tested this but it's just my thoughts on the topic.

  • Stephen
    7 years ago
    Aug 01, 2005

    What happens though, if there is a power outage, or the system crashes and has to be manually shut down? It seems to me that in this case, you would have the problem of "dangling logons" and would not be able to re-logon, even on the same PC. It's a great start, though. Maybe if you combined it with a scheduled task to wipe them clean at 2:00 AM or something, just to make sure they all deleted properly.

    Just a thought. Thanks for the good tip, though!

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

White Papers

Get your Windows 7 deployment off to the right start by implementing PC lockdown. A locked-down environment is easier and cheaper to support since users are less likely to make unnecessary changes to the core system configuration - read more here!

Essential Guides

Is your iSCSI "lossy"? The reality is that most off-the-shelf Ethernet hardware deployed for iSCSI can lose packets, resulting in slow performance or application downtime. Learn how to assess your current iSCSI infrastructure and engineer an advanced iSCSI SAN infrastructure.

Web Seminars

What's the best way to keep your network safe from malware? In this web seminar, security expert Greg Shields suggests an alternative method to the traditional blacklisting approach that is common with anti-virus and anti-malware solutions.

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Subscribe to Windows IT Pro!

Cloud IT Pro DevProConnections Left-Brain Mobile Dev Pro SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.