Sign in with
Sign up | Sign in
Your question
Closed

Can Windows 2003 limit Concurrent logon

Last response: in Windows 2000/NT
Share
January 27, 2005 8:14:11 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

I suppose not but one of my peer colleague said that it's built in or
extended as a user attribute by runnning an snap-in ( which I doublt) and no
need for a SQL backend.

The previous version of "CConnect" is good for w2k and NT4 while the beta
version of "LmitLogin" disappeared from MS beta web link, am I missing one
of the the latest and the greatest user attribute ?

Thanks in advance !

Jason
Anonymous
January 27, 2005 8:14:12 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

The only way I have ever seen to do this in 2k/ 2k3 server is to write a
script in the logon that either increments a tracking file or writes to a
database on logon attempt. I have never seen anything in the AD to limit
this.

Anyone else??

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"Jason" <jasons@hotmail.com> wrote in message
news:eL6DU6LBFHA.1452@TK2MSFTNGP11.phx.gbl...
> I suppose not but one of my peer colleague said that it's built in or
> extended as a user attribute by runnning an snap-in ( which I doublt) and
no
> need for a SQL backend.
>
> The previous version of "CConnect" is good for w2k and NT4 while the beta
> version of "LmitLogin" disappeared from MS beta web link, am I missing one
> of the the latest and the greatest user attribute ?
>
> Thanks in advance !
>
> Jason
>
>
January 27, 2005 8:57:05 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

One of our branch office was challenged by Federal Auditors that ( we are
w2K AD domain ) we do not have mechanism in place to limit concurrent user
logon .( But we are a huge oragnization that talking about 600 DCs
globally - what can be a better solution not to use native Windows Tools if
any ,other than going for third party product like "Userlock" ?)

Jason

"Ryan Hanisco" <rhanisco@flagshipis.com> wrote in message
news:o GAQ0$LBFHA.2624@TK2MSFTNGP11.phx.gbl...
> The only way I have ever seen to do this in 2k/ 2k3 server is to write a
> script in the logon that either increments a tracking file or writes to a
> database on logon attempt. I have never seen anything in the AD to limit
> this.
>
> Anyone else??
>
> --
> Ryan Hanisco
> MCSE, MCDBA
> Flagship Integration Services
>
> "Jason" <jasons@hotmail.com> wrote in message
> news:eL6DU6LBFHA.1452@TK2MSFTNGP11.phx.gbl...
>> I suppose not but one of my peer colleague said that it's built in or
>> extended as a user attribute by runnning an snap-in ( which I doublt) and
> no
>> need for a SQL backend.
>>
>> The previous version of "CConnect" is good for w2k and NT4 while the beta
>> version of "LmitLogin" disappeared from MS beta web link, am I missing
>> one
>> of the the latest and the greatest user attribute ?
>>
>> Thanks in advance !
>>
>> Jason
>>
>>
>
>
Related resources
Anonymous
January 28, 2005 2:01:54 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

There is also the old Windows 2000 resource kit tool called CCONNECT.EXE

Q: Restricting the Number of Concurrent Logons
A: This week, we first visit the continuing saga of network administrators
that need to manage their company's computing resources in a more granular
way. And who can blame them, with the occasional wild horse out there that
insists on doing things 'their way'. Let's remember, those computing
resources are the assets of your company, after all, and the cost of
supporting the ever increasing number of users is not getting any cheaper.
That's why there's the Zero Administration Kit and the continuing work done
in this area in Windows 2000.

"How can I restrict the number of concurrent logons on a per-user basis?"

This is question that has been asked for a long time. Finally, there appears
to be a resolution to the network administrator's need to limit the number
of concurrent logons a user can perform.

In the upcoming Windows 2000 Resource Kit, there is a tool called
CCONNECT.EXE. This tool will provide a method to track users concurrent
connections and monitor which computers users are logged into. CCONNECT will
run on Windows NT 4.0 SP4 (and up) and Windows 2000. The Windows 2000
Resource Kit is currently in beta, and parts of the Resource Kit are being
distributed on the Windows 2000 Release Candidate 2 beta CDs. Unfortunately,
CCONNECT is not one of the utilities that is included on the RC2 disk, so
you'll have to wait for the final release of the Resource Kit. Please keep
in mind: just like all betas, content (or features) are subject to
change—which includes what will make it in the final release. But we all
knew that.

To give you some more detail on what to expect with CCONNECT, here is the
current list of features:

a.. Completely hidden from the end user's view
b.. Keeps track of all computers that users are logged into
c.. Allows concurrent connection limitations to be set on a per-user/group
basis
d.. All information is kept in a SQL database managed by the Administrator
e.. Tracks last known user of the computer
f.. Monitors what logon server users are logging into
CCONNECT comes with a Group Policy ADM file. This ADM file can be loaded
into System Policy Editor and allows multiple settings to be created through
group policy. These settings are:

a.. Concurrent Connection Maximums
b.. The SQL server connection information.
c.. Track Last User
d.. Enable Debugging
e.. Disable Remote Logoff Feature
f.. Enable Force Logoff
g.. Enable Event Logging
h.. Enable Timer Logoff
i.. Enable Silent Mode

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Ryan Hanisco" <rhanisco@flagshipis.com> wrote in message
news:o GAQ0$LBFHA.2624@TK2MSFTNGP11.phx.gbl...
> The only way I have ever seen to do this in 2k/ 2k3 server is to write a
> script in the logon that either increments a tracking file or writes to a
> database on logon attempt. I have never seen anything in the AD to limit
> this.
>
> Anyone else??
>
> --
> Ryan Hanisco
> MCSE, MCDBA
> Flagship Integration Services
>
> "Jason" <jasons@hotmail.com> wrote in message
> news:eL6DU6LBFHA.1452@TK2MSFTNGP11.phx.gbl...
>> I suppose not but one of my peer colleague said that it's built in or
>> extended as a user attribute by runnning an snap-in ( which I doublt) and
> no
>> need for a SQL backend.
>>
>> The previous version of "CConnect" is good for w2k and NT4 while the beta
>> version of "LmitLogin" disappeared from MS beta web link, am I missing
>> one
>> of the the latest and the greatest user attribute ?
>>
>> Thanks in advance !
>>
>> Jason
>>
>>
>
>
Anonymous
January 28, 2005 2:01:55 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

I did find this document when I was looking it up, it just bothers me that
it dates to the time before the 2000 ResKit was even released and there is
nothing on it after that. They did say that there would be an ADM for it to
control it with a GPO.

This might be the way to go if you can get it tested and going.
--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
news:eivTDRMBFHA.1452@TK2MSFTNGP11.phx.gbl...
> There is also the old Windows 2000 resource kit tool called CCONNECT.EXE
>
> Q: Restricting the Number of Concurrent Logons
> A: This week, we first visit the continuing saga of network administrators
> that need to manage their company's computing resources in a more granular
> way. And who can blame them, with the occasional wild horse out there that
> insists on doing things 'their way'. Let's remember, those computing
> resources are the assets of your company, after all, and the cost of
> supporting the ever increasing number of users is not getting any cheaper.
> That's why there's the Zero Administration Kit and the continuing work
done
> in this area in Windows 2000.
>
> "How can I restrict the number of concurrent logons on a per-user basis?"
>
> This is question that has been asked for a long time. Finally, there
appears
> to be a resolution to the network administrator's need to limit the number
> of concurrent logons a user can perform.
>
> In the upcoming Windows 2000 Resource Kit, there is a tool called
> CCONNECT.EXE. This tool will provide a method to track users concurrent
> connections and monitor which computers users are logged into. CCONNECT
will
> run on Windows NT 4.0 SP4 (and up) and Windows 2000. The Windows 2000
> Resource Kit is currently in beta, and parts of the Resource Kit are being
> distributed on the Windows 2000 Release Candidate 2 beta CDs.
Unfortunately,
> CCONNECT is not one of the utilities that is included on the RC2 disk, so
> you'll have to wait for the final release of the Resource Kit. Please keep
> in mind: just like all betas, content (or features) are subject to
> change-which includes what will make it in the final release. But we all
> knew that.
>
> To give you some more detail on what to expect with CCONNECT, here is the
> current list of features:
>
> a.. Completely hidden from the end user's view
> b.. Keeps track of all computers that users are logged into
> c.. Allows concurrent connection limitations to be set on a
per-user/group
> basis
> d.. All information is kept in a SQL database managed by the
Administrator
> e.. Tracks last known user of the computer
> f.. Monitors what logon server users are logging into
> CCONNECT comes with a Group Policy ADM file. This ADM file can be loaded
> into System Policy Editor and allows multiple settings to be created
through
> group policy. These settings are:
>
> a.. Concurrent Connection Maximums
> b.. The SQL server connection information.
> c.. Track Last User
> d.. Enable Debugging
> e.. Disable Remote Logoff Feature
> f.. Enable Force Logoff
> g.. Enable Event Logging
> h.. Enable Timer Logoff
> i.. Enable Silent Mode
>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "Ryan Hanisco" <rhanisco@flagshipis.com> wrote in message
> news:o GAQ0$LBFHA.2624@TK2MSFTNGP11.phx.gbl...
> > The only way I have ever seen to do this in 2k/ 2k3 server is to write a
> > script in the logon that either increments a tracking file or writes to
a
> > database on logon attempt. I have never seen anything in the AD to
limit
> > this.
> >
> > Anyone else??
> >
> > --
> > Ryan Hanisco
> > MCSE, MCDBA
> > Flagship Integration Services
> >
> > "Jason" <jasons@hotmail.com> wrote in message
> > news:eL6DU6LBFHA.1452@TK2MSFTNGP11.phx.gbl...
> >> I suppose not but one of my peer colleague said that it's built in or
> >> extended as a user attribute by runnning an snap-in ( which I doublt)
and
> > no
> >> need for a SQL backend.
> >>
> >> The previous version of "CConnect" is good for w2k and NT4 while the
beta
> >> version of "LmitLogin" disappeared from MS beta web link, am I missing
> >> one
> >> of the the latest and the greatest user attribute ?
> >>
> >> Thanks in advance !
> >>
> >> Jason
> >>
> >>
> >
> >
>
>
January 28, 2005 2:01:55 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

Mike , the reason that we don't use CConnect is that :-

- it requires a SQL database, which need to be distributed across regions.
- it require client software to be installed
- it 's a resource kit tools which is not offically supported by Microsoft
( we have 40K users and PC )

Unfortunately , seems like even with W2k3, there is no such tool ? What
about the LimitLogin beta ?

Jason

"Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
news:eivTDRMBFHA.1452@TK2MSFTNGP11.phx.gbl...
> There is also the old Windows 2000 resource kit tool called CCONNECT.EXE
>
> Q: Restricting the Number of Concurrent Logons
> A: This week, we first visit the continuing saga of network administrators
> that need to manage their company's computing resources in a more granular
> way. And who can blame them, with the occasional wild horse out there that
> insists on doing things 'their way'. Let's remember, those computing
> resources are the assets of your company, after all, and the cost of
> supporting the ever increasing number of users is not getting any cheaper.
> That's why there's the Zero Administration Kit and the continuing work
> done in this area in Windows 2000.
>
> "How can I restrict the number of concurrent logons on a per-user basis?"
>
> This is question that has been asked for a long time. Finally, there
> appears to be a resolution to the network administrator's need to limit
> the number of concurrent logons a user can perform.
>
> In the upcoming Windows 2000 Resource Kit, there is a tool called
> CCONNECT.EXE. This tool will provide a method to track users concurrent
> connections and monitor which computers users are logged into. CCONNECT
> will run on Windows NT 4.0 SP4 (and up) and Windows 2000. The Windows 2000
> Resource Kit is currently in beta, and parts of the Resource Kit are being
> distributed on the Windows 2000 Release Candidate 2 beta CDs.
> Unfortunately, CCONNECT is not one of the utilities that is included on
> the RC2 disk, so you'll have to wait for the final release of the Resource
> Kit. Please keep in mind: just like all betas, content (or features) are
> subject to change-which includes what will make it in the final release.
> But we all knew that.
>
> To give you some more detail on what to expect with CCONNECT, here is the
> current list of features:
>
> a.. Completely hidden from the end user's view
> b.. Keeps track of all computers that users are logged into
> c.. Allows concurrent connection limitations to be set on a
> per-user/group basis
> d.. All information is kept in a SQL database managed by the
> Administrator
> e.. Tracks last known user of the computer
> f.. Monitors what logon server users are logging into
> CCONNECT comes with a Group Policy ADM file. This ADM file can be loaded
> into System Policy Editor and allows multiple settings to be created
> through group policy. These settings are:
>
> a.. Concurrent Connection Maximums
> b.. The SQL server connection information.
> c.. Track Last User
> d.. Enable Debugging
> e.. Disable Remote Logoff Feature
> f.. Enable Force Logoff
> g.. Enable Event Logging
> h.. Enable Timer Logoff
> i.. Enable Silent Mode
>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "Ryan Hanisco" <rhanisco@flagshipis.com> wrote in message
> news:o GAQ0$LBFHA.2624@TK2MSFTNGP11.phx.gbl...
>> The only way I have ever seen to do this in 2k/ 2k3 server is to write a
>> script in the logon that either increments a tracking file or writes to a
>> database on logon attempt. I have never seen anything in the AD to limit
>> this.
>>
>> Anyone else??
>>
>> --
>> Ryan Hanisco
>> MCSE, MCDBA
>> Flagship Integration Services
>>
>> "Jason" <jasons@hotmail.com> wrote in message
>> news:eL6DU6LBFHA.1452@TK2MSFTNGP11.phx.gbl...
>>> I suppose not but one of my peer colleague said that it's built in or
>>> extended as a user attribute by runnning an snap-in ( which I doublt)
>>> and
>> no
>>> need for a SQL backend.
>>>
>>> The previous version of "CConnect" is good for w2k and NT4 while the
>>> beta
>>> version of "LmitLogin" disappeared from MS beta web link, am I missing
>>> one
>>> of the the latest and the greatest user attribute ?
>>>
>>> Thanks in advance !
>>>
>>> Jason
>>>
>>>
>>
>>
>
>
Anonymous
January 28, 2005 12:14:36 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

On Thu, 27 Jan 2005 17:14:11 -0500, "Jason" <jasons@hotmail.com> wrote:

>I suppose not but one of my peer colleague said that it's built in or
>extended as a user attribute by runnning an snap-in ( which I doublt) and no
>need for a SQL backend.
>
>The previous version of "CConnect" is good for w2k and NT4 while the beta
>version of "LmitLogin" disappeared from MS beta web link, am I missing one
>of the the latest and the greatest user attribute ?
>
>Thanks in advance !
>
>Jason
>

See tip 8768 in the 'Tips & Tricks' at http://www.jsiinc.com

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
January 28, 2005 9:40:01 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

(Thanks Jerold )

I have further questions that I wish to be answered :-

- Does "RUNAS" an authention and treated as a "logon" ?
- If a user have map drives to folder resource for example , is this treated
as a logon by Windows strictly speaking ?


Jason

"Jerold Schulman" <Jerry@jsiinc.com> wrote in message
news:v5ikv0517ej7apsrk02jjmmbme2t53ci95@4ax.com...
> On Thu, 27 Jan 2005 17:14:11 -0500, "Jason" <jasons@hotmail.com> wrote:
>
>>I suppose not but one of my peer colleague said that it's built in or
>>extended as a user attribute by runnning an snap-in ( which I doublt) and
>>no
>>need for a SQL backend.
>>
>>The previous version of "CConnect" is good for w2k and NT4 while the beta
>>version of "LmitLogin" disappeared from MS beta web link, am I missing one
>>of the the latest and the greatest user attribute ?
>>
>>Thanks in advance !
>>
>>Jason
>>
>
> See tip 8768 in the 'Tips & Tricks' at http://www.jsiinc.com
>
> Jerold Schulman
> Windows Server MVP
> JSI, Inc.
> http://www.jsiinc.com
Anonymous
January 29, 2005 4:11:09 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

"Jason" <jasons@hotmail.com> wrote in message
news:%23o%23s4OZBFHA.2112@TK2MSFTNGP09.phx.gbl...
> (Thanks Jerold )
>
> I have further questions that I wish to be answered :-
>
> - Does "RUNAS" an authention and treated as a "logon" ?
> - If a user have map drives to folder resource for example , is this
> treated as a logon by Windows strictly speaking ?
>

If the user is using a different set of credentials to access a resource at
a file sever then that server will use those credentials to do an
authentication and the build a locally held access token to verify
authorization to that resource.

the problem here is that you never really logon to anything other then your
PC - your access to resources results in those servers performing an
authentication of the credentials you provide whatever they may be) and then
building the relevant access token for use by the security manager and
object manager to check you access permission on the resource.

Windows is not really like a classic man frame etc where you logon to the
system - you are logged on to your PC and then in part by every system you
access for resources - think of it like lots of local logons to those
servers etc.


--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Jason" <jasons@hotmail.com> wrote in message
news:%23o%23s4OZBFHA.2112@TK2MSFTNGP09.phx.gbl...
> (Thanks Jerold )
>
> I have further questions that I wish to be answered :-
>
> - Does "RUNAS" an authention and treated as a "logon" ?
> - If a user have map drives to folder resource for example , is this
> treated as a logon by Windows strictly speaking ?
>
>
> Jason
>
> "Jerold Schulman" <Jerry@jsiinc.com> wrote in message
> news:v5ikv0517ej7apsrk02jjmmbme2t53ci95@4ax.com...
>> On Thu, 27 Jan 2005 17:14:11 -0500, "Jason" <jasons@hotmail.com> wrote:
>>
>>>I suppose not but one of my peer colleague said that it's built in or
>>>extended as a user attribute by runnning an snap-in ( which I doublt) and
>>>no
>>>need for a SQL backend.
>>>
>>>The previous version of "CConnect" is good for w2k and NT4 while the beta
>>>version of "LmitLogin" disappeared from MS beta web link, am I missing
>>>one
>>>of the the latest and the greatest user attribute ?
>>>
>>>Thanks in advance !
>>>
>>>Jason
>>>
>>
>> See tip 8768 in the 'Tips & Tricks' at http://www.jsiinc.com
>>
>> Jerold Schulman
>> Windows Server MVP
>> JSI, Inc.
>> http://www.jsiinc.com
>
>
January 29, 2005 4:11:10 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

Thanks Mike ! Really appreciate your detail explanation. Have a nice
weekend.
Jason


"Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
news:%231xP89ZBFHA.1836@tk2msftngp13.phx.gbl...
> "Jason" <jasons@hotmail.com> wrote in message
> news:%23o%23s4OZBFHA.2112@TK2MSFTNGP09.phx.gbl...
>> (Thanks Jerold )
>>
>> I have further questions that I wish to be answered :-
>>
>> - Does "RUNAS" an authention and treated as a "logon" ?
>> - If a user have map drives to folder resource for example , is this
>> treated as a logon by Windows strictly speaking ?
>>
>
> If the user is using a different set of credentials to access a resource
> at a file sever then that server will use those credentials to do an
> authentication and the build a locally held access token to verify
> authorization to that resource.
>
> the problem here is that you never really logon to anything other then
> your PC - your access to resources results in those servers performing an
> authentication of the credentials you provide whatever they may be) and
> then building the relevant access token for use by the security manager
> and object manager to check you access permission on the resource.
>
> Windows is not really like a classic man frame etc where you logon to the
> system - you are logged on to your PC and then in part by every system you
> access for resources - think of it like lots of local logons to those
> servers etc.
>
>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "Jason" <jasons@hotmail.com> wrote in message
> news:%23o%23s4OZBFHA.2112@TK2MSFTNGP09.phx.gbl...
>> (Thanks Jerold )
>>
>> I have further questions that I wish to be answered :-
>>
>> - Does "RUNAS" an authention and treated as a "logon" ?
>> - If a user have map drives to folder resource for example , is this
>> treated as a logon by Windows strictly speaking ?
>>
>>
>> Jason
>>
>> "Jerold Schulman" <Jerry@jsiinc.com> wrote in message
>> news:v5ikv0517ej7apsrk02jjmmbme2t53ci95@4ax.com...
>>> On Thu, 27 Jan 2005 17:14:11 -0500, "Jason" <jasons@hotmail.com> wrote:
>>>
>>>>I suppose not but one of my peer colleague said that it's built in or
>>>>extended as a user attribute by runnning an snap-in ( which I doublt)
>>>>and no
>>>>need for a SQL backend.
>>>>
>>>>The previous version of "CConnect" is good for w2k and NT4 while the
>>>>beta
>>>>version of "LmitLogin" disappeared from MS beta web link, am I missing
>>>>one
>>>>of the the latest and the greatest user attribute ?
>>>>
>>>>Thanks in advance !
>>>>
>>>>Jason
>>>>
>>>
>>> See tip 8768 in the 'Tips & Tricks' at http://www.jsiinc.com
>>>
>>> Jerold Schulman
>>> Windows Server MVP
>>> JSI, Inc.
>>> http://www.jsiinc.com
>>
>>
>
>
January 26, 2012 6:18:28 PM

This topic has been closed by Nikorr
!