Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


August 2006

Limit Concurrent Windows Logon Sessions

Keep Administrator sessions to a minimum with the Microsoft LimitLogin tool
From the August 2006 Edition
of Windows IT Pro
Jan De Clercq
Solutions +
InstantDoc #50596
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Operation
Figure 2 illustrates the LimitLogin components and operation when a user logs on interactively to a LimitLogin-enabled Windows domain. The following events occur:

  1. The user initiates an interactive logon sequence from a Windows client. The LimitLogin logon script (Llogin) executes.
  2. The Llogin script sends the user and computer data to the LimitLogin Web service. The data is sent in XML format by using SOAP and includes the username, computername, IP address, session ID, and authenticating DC.
  3. The LimitLogin Web service checks whether the user has been enabled for LimitLogin and, if enabled, what the user's logon quota is. This data is stored in the LimitLogin AD application partition.
  4. AD replies with the requested information.
  5. If the user hasn't been enabled for LimitLogin, the LimitLogin Web service notifies the logon script that it should continue to log the user on normally. If the user has been enabled for Limit-Login and does have a logon quota defined, the LimitLogin Web service counts the number of logons that are currently registered for the user in the LimitLogin application partition. From here there are two possibilities: If the user's logon quota is greater than the number of logons registered in AD, the Web service updates the user's logon information in the LimitLogin application directory partition and notifies the logon script to continue the logon process normally.

If the user's logon quota is less than or equal to the number of logons registered in AD, the Web service notifies the logon script to log off the current session. LimitLogin can optionally be configured to inform the user about his or her other logon locations before it logs the user off.

Installation
You can download LimitLogin from http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exe. Installing LimitLogin is relatively straightforward. The tool includes three installation executables: one for installing the Web server components (limitloginiissetup.msi), one for installing the AD DC components (limitloginadsetup.msi), and a third to install the client-side components (limitloginclientsetup.msi). It's important that you run these installation programs in the following order: the Web server installation first, the AD installation second, and the client-side installation third.

The LimitLogin Web server installation allows for the definition of a custom virtual directory name and port for the LimitLogin Web service. The Web server installation requires Administrator rights on the Web server.

As I mentioned earlier, the LimitLogin installation programs don't take care of the LimitLogin SSL configuration. When you configure SSL for the LimitLogin Web service, you must make changes only on the server side. You must install a server-side SSL certificate and link it to the LimitLogin Web service.

You also must edit the limitlogin.wsdl file that's located in the LimitLogin logon share (described below—this share contains the LimitLogin logon and logoff scripts). In limitlogin.wsdl, you must change all URLs that refer to the LimitLogin Web service from HTTP to HTTPs. All the URLs that must be changed are located in the <wsdl:service name="LimitLogin"> section of the limitlogin.wsdl file.

The LimitLogin AD setup has three parts: preparing the AD forest, preparing the AD domain, and installing the LimitLogin extensions for the Active Directory Users and Computers snap-in. You can run the AD forest installation part from the command line by using LimitLoginADSetup.exe and the /ForestPrep switch. You can run the domain installation part from the command line by using LimitLoginADSetup with the /DomainPrep switch.

To run the first two parts of the LimitLogin-AD setup, your account must have Schema Administrator privileges in the root domain of the forest. Also, you must run the tool on the forest DC that has the Domain Naming Master operations master role. (To determine which DC this is, you can use the Ntdsutil command.)

The last part of the setup (installing the Active Directory Users and Computers LimitLogin extensions) can be run with Domain Administrator privileges on any DC in your forest, or with Administrator privileges on a Windows workstation—in case you're using Administrative Tools to manage AD from a workstation.

The forest preparation extends the AD schema and modifies the AD configuration context. The domain preparation creates the LimitLogin AD application partition and the LimitLogin logon and logoff scripts. During the domain preparation, you can specify the DC on which the LimitLogin application partition should be created.

For high availability or disaster recovery reasons, you might want to create a replica of the LimitLogin application partition on multiple DCs. The "Advanced Configuration Options" section of the LimitLogin Help file describes how to do this.

At the end of the AD setup, you must manually copy the LimitLogin logon and logoff scripts to a share and reference them in your domain GPO settings. The Limit-Login setup program reminds you to do so at the end of the LimitLogin AD installation (as illustrated in Web Figure 1, http://www.windowsitpro.com, InstantDoc ID 50596).

The AD installation portion of LimitLogin creates detailed log files: %systemdrive%\ program files\limitlogin\limitloginadsetup .log and %systemdrive%\windows\system32\ ldif.log.

You can run the LimitLogin client setup program manually or in an automated way. Automated Microsoft-centric installation options include Microsoft Systems Management Server (SMS), GPOs, and logon scripts. To run the client installation from the command line in quiet mode (which requires no user interaction) use limitloginclientsetup .msi with the /qn switch. Because the client setup installs the SOAP client, it requires Administrator rights.

If the LimitLogin Web service isn't running on the DC hosting the LimitLogin application partition, you must make sure that you trust the Web server's computer account for delegation to the LimitLogin DC. The "LimitLogin Active Directory Setup" section of the Limit-Login Help file describes how to do this.

Configuration and Usage
Your best friend when configuring concurrent logon settings on AD user objects is the Active Directory Users and Computers snap-in. The LimitLogin AD installation program adds several LimitLogin configuration options to the snap-in. You can access the LimitLogin Tasks menu option from the context menu of user, computer, and organizational unit (OU) objects.

   Previous  1  [2]  3  Next 


Learning Path For information about LimitLogin's predecessor, Cconnect:
"Limit Concurrent Connections"


To learn about other ways to limit accounts and their privileges:
"Get the Most from Least Privilege"

"Learn To Be Least,"

"Use Guest Accounts to Fight Malware"
Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Cutting Costs with Client Management

7 Ways To Get More From Your SharePoint Deployment Now

Introduction to Identity Lifecycle Manager "2"

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement