As a Microsoft Certified Trainer (MCT), I'm frequently asked about providing a solution that prevents a user from logging on to multiple PCs at the same time. There's a Microsoft solution to prevent multiple logons, but it's complicated. I found a simpler solution that uses logon and logoff scripts in Group Policy Objects (GPOs). Because GPOs can't be applied to Windows 9x or Windows NT, my solution works with only newer OSs (i.e., Windows Server 2003, Windows XP, and Windows 2000).
There are three steps in my solution:
Create and share a folder on the domain controller (DC). For this example, I created a folder named Logons on a DC named Rafetpc. The share name should be the same as the folder name (in this case, Logons). The share permission must be Everyone, Change because users will write and delete files on the DC.
Download and customize Login.bat, which Listing 1 shows, and Logout.bat, which Listing 2 shows. You can download these scripts from the Windows IT Pro Web site. Go to http://www.windowsitpro.com, enter 46952 in the InstantDoc ID text box, then click the 46952.zip hotlink. To customize these scripts, replace each instance of \\rafetpc\logons\ in the code at callout A in Listing 1 and at callout A in Listing 2 with an appropriate path.
In the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, go to the organizational unit (OU) that contains those users for whom you don't want to allow multiple logons. Create a GPO for this OU. In this GPO, navigate to User Configuration, Windows Settings, Scripts (Logon/Logoff). In the details pane, double-click Logon. Click Add in the Logon Properties dialog box, then click Browse in the Add a Script dialog box. Select the Login.bat file and click OK. Repeat the process for the logoff script by double-clicking Logoff in the details pane, clicking Add, Browse, selecting the Logout.bat file, and clicking OK. That's all.
After performing these steps, whenever a user in the specified OU logs on, Login.bat will create two files in the folder on the DC. When the same user attempts to log on from another PC at the same time, Login.bat will check for the existence of these files. If the files are present, Login.bat will immediately log the user off from the second PC. When a user in the specified OU logs off from a PC, Logout.bat will delete the two files created by Login.bat so that the user can then log on to another machine.
—Murat Yildirimoglu
murat@muratyildirimoglu.com
Editor's Note:
Long-time reader and contributor Murat Yildirimoglu pointed out that the scripts used in the June 2007 article, "It's 10:00 P.M.: Do You Know Who's Logged On?", are similar to the scripts Murat published in this Reader to Reader.
End of Article
What happens though, if there is a power outage, or the system crashes and has to be manually shut down? It seems to me that in this case, you would have the problem of "dangling logons" and would not be able to re-logon, even on the same PC. It's a great start, though. Maybe if you combined it with a scheduled task to wipe them clean at 2:00 AM or something, just to make sure they all deleted properly.
Just a thought. Thanks for the good tip, though!
stath August 01, 2005 (Article Rating: )
Yeah I thought of the same thing. I think that if you put in an IF statement to check for the existance of the computer file first then delete the user file if found you can probably resolve this issue. Logically if the computer file exists then either the computer rebooted but didn't execute the logoff script or crashed. Since the user is logging on to the same computer we're really not looking to prevent them from logging on. I think adding the following line before the first IF line in the login.bat file would fix the problem.
If Exist \\%server%\logons\%computername%.txt Del \\%server%\logons\%username%.txt
This way if the computer file already exists for some reason (ie - crash), then the login will delete the username file which is the condition we're looking for. If the user is logging on to the same computer we want to allow it anyways. The following echo statements in the batch file will then re-create the username file and overwrite the computer file (since we're using a single ">").
I haven't tested this but it's just my thoughts on the topic.
tekrage September 04, 2005 (Article Rating: )
I just put this GPO in place on my test OU and it's working great! The addition I'd like to make would be a message box coming up before logout saying something like "You are already logged in on one PC. Simultaneous Logins are Denied" or something equally witty.
If someone knows how to add that to the LOGOUT.BAT file I'd appreciate a Heads-Up!
richard.slusher@lamar.edu March 29, 2006 (Article Rating: )
During his first-ever Consumer Electronics Show (CES) 2009 keynote address last night in Las Vegas, Microsoft CEO Steve Ballmer announced the pending public availability of a feature-complete Windows 7, the final version of Windows Live Essentials, and ...
Microsoft Learning Snack - Green IT Through Virtualization Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Microsoft Learning Snack - Virtualization Basics With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.
Microsoft Learning Snack - Virtualization Basics With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.
Empower Your Processes with PowerShell 201 Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!
Microsoft Learning Snack - Green IT Through Virtualization Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.
New Release: Windows IT Pro Master CD 13 years of content archives, fast answers with advanced search tools, and full access to WindowsITPro.com—order today!
)
)
Register
Just a thought. Thanks for the good tip, though!
stath August 01, 2005 (Article Rating: