Thursday, March 26, 2009

How can I limit the number of allowed concurrent sessions per user in an Active Directory (AD) domain?

http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exe.
The tool stores logged-on information in a custom AD partition (dc=limit login, dc=, dc=; e.g., dc=limitlogin,dc=savilltech,dc=com) via a Microsoft IIS 6.0 (Windows Server 2003) hosted Web service, a client component, and a logon and logoff script.

After you download the file, extract the setup files to a folder you specify. The full configuration requires a change to the AD forest schema to allow extra detail about the logon status to be stored, and because an AD application partition is being created, the system must have at least one Windows 2003 domain controller (DC).
(i)To install Limit Login, perform these steps:
1.Use the Add/Remove Programs Control Panel applet to install IIS and ASP.NET on the
server that will act as the Limit Login Web service host (Add/Remove Programs -
Windows Components - Application Server).
2.Enable ASP.NET as an extension via the Internet Information Services (IIS) Manager
in the Web Service Extensions navigation pane. Ensure that the ASP.NET extension
is shown as Allowed in the detail pane, as the figure shows.
3.Execute the LimiLoginIISSetup.msi from the extraction folder to begin setup of the
Web service portion of limit login. (You must be logged on as an Administrator.)
Click Next to the welcome dialog box.
4.You'll be prompted to enter a virtual directory name that the Web service will use
and the port (you can usually leave the default settings for these) and click
Next.
5.Click Next, then click Close to complete the Web portion of the setup. If you look
at IIS Manager, you'll see a new WSLimitLogin directory under the Default Web
Site.
6.To prepare AD, execute the LimitLoginADSetup.msi file and click Next at the
introduction screen.
7.Click "I Agree" to the license agreement and click Next.
8.Select the installation folder (the default is C:\program files\limit login), and
click Next.
9.The AD setup will prompt you to prepare the forest and domain and install the MMC
Limit Login snap-in, as the figure shows. Click Next. (You must be logged in as a
Schema Admin at this point and have the Schema Master FSMO available.
10.The installation will prompt you to ensure that you have sufficient permissions
to write to the schema. Click OK.
11.You'll see a dialog box that shows that the changes completed successfully for
the forest portion (the schema change) of the setup. Click OK.
12.Specify the name of the IIS server and a folder in which the scripts can be
stored, as the figure shows. You must have already created the share (it can be
hidden), and make sure authenticated users have read access to the share. Click
Next.
13.Select the DC (must be Windows 2003) that will host the application partition for
Limit Login, as the figure shows. Click Next.
14.You can now enter credentials used to create the partition or clear the "Use the
following credentials" check box if your logged on user has sufficient
credentials. Click Create.
15.Click OK to the successful creation message.
16.You now need to manually copy the LimitLogin.wsdl, llogin.vbs and llogoff.vbs
from the C:\program files\limit login\scripts folder to the share you specified
in step 12. In the Final Steps message box, select the "I've read the
instructions and will perform these steps manually" checkbox, as the figure
shows. Click Next.
17.Click Close.

(ii)You now need to deploy the LimitLogonClientSetup.msi to the machines in your environment via a logon script, Group Policy, or Microsoft Systems Management Server (SMS) because this installation file contains the client-side piece that communicates with the IIS-based Web service.
You also need to configure Group Policy to execute the llogin.vbs and llogoff.vbs scripts.
You can do this at domain level by performing these steps:
1.Create a new Group Policy Object (GPO) called "Limit Logon" and link it at a
domain level, as the figure shows. (Open the Active Directory Users and Computers
MMC snap-in, right-click the domain level, and select Properties. Select the Group
Policy tab and click New. Enter a name of Limit Logon.)
2.Click Edit on the Policy tab to open Group Policy Editor (GPE).
3.Navigate to the User Configuration - Windows Settings - Scripts (Logon/Logoff)
branch.
4.Double-click Logon in the right pane and click Add.
5.Enter the script name and location from the share ( e.g., \\savdaldc01
\limitlogon$\llogin.vbs) and click OK.
6.Double-click Logoff in the right pane and click Add.
7.Enter the script name and location from the share (e.g., \\savdaldc01
\limitlogon$\llogoff.vbs) and click OK.
8.Close GPE.

This process creates in the C:\program files\limitlogin folder the LimitLoginMMCSetup.exe utility, which, when run, integrates Limitlogin directly into the AD Users and Computers snap-in, providing a new Limitlogin Tasks context-menu option. This option opens the LimitLogon configuration for the user, which displays the current sessions, as the figure shows. (You'll need Limitlogin installed on each machine that runs Active Directory Users and Computers. To do so, execute the LimitLoginADSetup.msi file and during the setup options, select the "Install Limitlogin Active Directory MMC snap-in integration tools on this machine" option).
Click Configure to set the number of logons allowed, as the figure shows.
Limitlogin also provides a script--Bulk_LimitUserLogins.vbs--that lets you define quotas for all users in the domain. If you want to use this tool simply to see logged-on sessions, give users a high quota limit (without quotas enabled no user-session tracking occurs) that they'll never reach.
Any attempt to log on more than the allowed number of sessions will result in the user being logged off and an event ID 8811written to the Application event log of the LimitLogon server, as the figure shows.
Read the Help file that accompanies the Limitlogin tool. It has a lot of details about using the tool. Also be aware that some antivirus and antispyware packages might try to block the scripts from running so you need to configure the programs to allow the scripts to run.

No comments:

Post a Comment