We looked at this for a while and decided it was not worth the $.
That being said, a free solution is to set your users home drive (on a
network share obviously) to only allow one concurrent connection and add
logic at the end of the logon script (we use .vbs scripts) to check whether
or not that users home drive was mapped - if it was, then they are not
logged on elsewhere, if it is not mapped, then either the file server is not
available, or the user has that share locked on another workstation.
Obviously you should be using DFS or some other mechanism to limit your
exposure to a single point of failure and add logic to check that the file
server is available and is simply refusing the connection. We never got any
further than that, and in the preliminary testing, we needed more than one
concurrent session available to the users - no I don't remember why...
Anyway, with the advances in WMI, and the exposure of system objects through
Windows Scripting Host, you can accomplish a great deal with logon
scripts...
Just my 2cents...
Ken Howard
"Whoever fights monsters should see to it that in the process he does not
become a monster." Friedrich Wilhelm Nietzsche
-----Original Message-----
From: Miroslaw Slawek Chorazy [mailto:mchorazy (at) depaul (dot) edu [email concealed]]
Sent: Friday, January 28, 2005 3:50 PM
To: larobins (at) bellatlantic (dot) net [email concealed]; ian.turnbull (at) mpsgi (dot) com [email concealed];
focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Preventing multiple logins in 2003
cconnect exposes the password that is needed to connect to the SQL database
in clear in the registry!
slawek
>>> "Laura A. Robinson" <larobins (at) bellatlantic (dot) net [email concealed]> 1/27/2005 19:20
>>>
Have you tried cconnect?
Laura
> -----Original Message-----
> From: Ian Turnbull [mailto:ian.turnbull (at) mpsgi (dot) com [email concealed]]
> Sent: Wednesday, January 26, 2005 12:22 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Preventing multiple logins in 2003
>
>
>
> Folks,
>
> It has been noted that some of our user base are allowing other
> members of staff to login using their user account. We are currently
> in the process of moving to a fully functional
> 2003 domain and I would like to disable concurrent logons via group
> policy. Any suggestions?
>
> Regards
>
> Ian
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
We looked at this for a while and decided it was not worth the $.
That being said, a free solution is to set your users home drive (on a
network share obviously) to only allow one concurrent connection and add
logic at the end of the logon script (we use .vbs scripts) to check whether
or not that users home drive was mapped - if it was, then they are not
logged on elsewhere, if it is not mapped, then either the file server is not
available, or the user has that share locked on another workstation.
Obviously you should be using DFS or some other mechanism to limit your
exposure to a single point of failure and add logic to check that the file
server is available and is simply refusing the connection. We never got any
further than that, and in the preliminary testing, we needed more than one
concurrent session available to the users - no I don't remember why...
Anyway, with the advances in WMI, and the exposure of system objects through
Windows Scripting Host, you can accomplish a great deal with logon
scripts...
Just my 2cents...
Ken Howard
"Whoever fights monsters should see to it that in the process he does not
become a monster." Friedrich Wilhelm Nietzsche
-----Original Message-----
From: Miroslaw Slawek Chorazy [mailto:mchorazy (at) depaul (dot) edu [email concealed]]
Sent: Friday, January 28, 2005 3:50 PM
To: larobins (at) bellatlantic (dot) net [email concealed]; ian.turnbull (at) mpsgi (dot) com [email concealed];
focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Preventing multiple logins in 2003
cconnect exposes the password that is needed to connect to the SQL database
in clear in the registry!
slawek
>>> "Laura A. Robinson" <larobins (at) bellatlantic (dot) net [email concealed]> 1/27/2005 19:20
>>>
Have you tried cconnect?
Laura
> -----Original Message-----
> From: Ian Turnbull [mailto:ian.turnbull (at) mpsgi (dot) com [email concealed]]
> Sent: Wednesday, January 26, 2005 12:22 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Preventing multiple logins in 2003
>
>
>
> Folks,
>
> It has been noted that some of our user base are allowing other
> members of staff to login using their user account. We are currently
> in the process of moving to a fully functional
> 2003 domain and I would like to disable concurrent logons via group
> policy. Any suggestions?
>
> Regards
>
> Ian
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
This communication may contain Heald College confidential and proprietary data.
Any questions should be directed to a Heald College IT administrator.
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]