As a Microsoft Certified Trainer (MCT), I'm frequently asked about providing a solution that prevents a user from logging on to multiple PCs at the same time. There's a Microsoft solution to prevent multiple logons, but it's complicated. I found a simpler solution that uses logon and logoff scripts in Group Policy Objects (GPOs). Because GPOs can't be applied to Windows 9x or Windows NT, my solution works with only newer OSs (i.e., Windows Server 2003, Windows XP, and Windows 2000).
There are three steps in my solution:
Create and share a folder on the domain controller (DC). For this example, I created a folder named Logons on a DC named Rafetpc. The share name should be the same as the folder name (in this case, Logons). The share permission must be Everyone, Change because users will write and delete files on the DC.
Download and customize Login.bat, which Listing 1 shows, and Logout.bat, which Listing 2 shows. You can download these scripts from the Windows IT Pro Web site. Go to http://www.windowsitpro.com, enter 46952 in the InstantDoc ID text box, then click the 46952.zip hotlink. To customize these scripts, replace each instance of \\rafetpc\logons\ in the code at callout A in Listing 1 and at callout A in Listing 2 with an appropriate path.
In the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, go to the organizational unit (OU) that contains those users for whom you don't want to allow multiple logons. Create a GPO for this OU. In this GPO, navigate to User Configuration, Windows Settings, Scripts (Logon/Logoff). In the details pane, double-click Logon. Click Add in the Logon Properties dialog box, then click Browse in the Add a Script dialog box. Select the Login.bat file and click OK. Repeat the process for the logoff script by double-clicking Logoff in the details pane, clicking Add, Browse, selecting the Logout.bat file, and clicking OK. That's all.
After performing these steps, whenever a user in the specified OU logs on, Login.bat will create two files in the folder on the DC. When the same user attempts to log on from another PC at the same time, Login.bat will check for the existence of these files. If the files are present, Login.bat will immediately log the user off from the second PC. When a user in the specified OU logs off from a PC, Logout.bat will delete the two files created by Login.bat so that the user can then log on to another machine.
—Murat Yildirimoglu
murat@muratyildirimoglu.com
Editor's Note:
Long-time reader and contributor Murat Yildirimoglu pointed out that the scripts used in the June 2007 article, "It's 10:00 P.M.: Do You Know Who's Logged On?", are similar to the scripts Murat published in this Reader to Reader.
End of Article
What happens though, if there is a power outage, or the system crashes and has to be manually shut down? It seems to me that in this case, you would have the problem of "dangling logons" and would not be able to re-logon, even on the same PC. It's a great start, though. Maybe if you combined it with a scheduled task to wipe them clean at 2:00 AM or something, just to make sure they all deleted properly.
Just a thought. Thanks for the good tip, though!
stath August 01, 2005 (Article Rating: )
Yeah I thought of the same thing. I think that if you put in an IF statement to check for the existance of the computer file first then delete the user file if found you can probably resolve this issue. Logically if the computer file exists then either the computer rebooted but didn't execute the logoff script or crashed. Since the user is logging on to the same computer we're really not looking to prevent them from logging on. I think adding the following line before the first IF line in the login.bat file would fix the problem.
If Exist \\%server%\logons\%computername%.txt Del \\%server%\logons\%username%.txt
This way if the computer file already exists for some reason (ie - crash), then the login will delete the username file which is the condition we're looking for. If the user is logging on to the same computer we want to allow it anyways. The following echo statements in the batch file will then re-create the username file and overwrite the computer file (since we're using a single ">").
I haven't tested this but it's just my thoughts on the topic.
tekrage September 04, 2005 (Article Rating: )
I just put this GPO in place on my test OU and it's working great! The addition I'd like to make would be a message box coming up before logout saying something like "You are already logged in on one PC. Simultaneous Logins are Denied" or something equally witty.
If someone knows how to add that to the LOGOUT.BAT file I'd appreciate a Heads-Up!
richard.slusher@lamar.edu March 29, 2006 (Article Rating: )
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
An often irreverent look at some of the week's other news, including a shortened work week thanks to the 4th of July, expensive Windows 7 pricing, Bing's modest monthly gains, IE 8 heading to work, Steve Jobs back at Apple, and so much more ...
Get Mark Minasi’s Windows Server 2008 Audio CDs "Windows expert, consultant and best-selling author Mark Minasi shows you if 2008 is right for you and, if so, how to get the most out of it!
Take Control of Your Email Optimize your email storage – Download this white paper to learn key how-to’s in email storage management.
Get Windows IT Pro To Go! The Windows IT Pro Magazine Master CD is a powerful combination of content and convenience. Order now, and save up to 25%--plus you’ll get online access to new articles each and every month! Subscribe today!
)
)
Register
Just a thought. Thanks for the good tip, though!
stath August 01, 2005 (Article Rating: