다음을 통해 공유


Active Directory: Limit concurrent user logins


Introduction

User authentication is one of the key principals of Active Directory as a directory system. It is safe to say that when user authentication does not exist in an Active Directory environment, then there is no need to have an Active Directory in our organization.

Considering this fact, each day we face new problems and requirements which we need to deal with. During these years there have been so many requests from System Administrators or specialist to have a feature in Active Directory which allows administrators to select a user to login only once in a time and prevent multiple logins from a user account in Active Directory.

There were quite some solutions in order to address this issue like Limit Login back in Windows 2003, but since today we are no longer dealing with Windows Server 2003 but Windows Server 2012 R2 or 2016, old methods are no longer practical.

This guide, can be used by administrators who are willing to limit logon activity of user accounts and force them to have a single logon to a workstation at a time.

How does it work?

In order to fully understand this solution, it is necessary to comprehend the concepts under the hood and know that how each element is used to reach the goal. So far, the need is clear: We want each user to logon, at one single workstation only and not more

To do this, let’s explain how it works using a series of images.

  • A user wants to logon a workstation. After he/she gets authenticated to the DC, a flag will be written at file server in a folder with a name identical to the samaccountname of the user. The flag is a simple text file with no text inside it.

  • The mentioned user in previous step wants to logon to another computer. This could be a friend the original user who wants to use the user privilege or it might be a hacker trying to logon using someone else credential. But after he gets authenticated for second time in AD, he/she get disconnected because according to policy, multiple logons are not tolerated.

  • Now lets consider that the original user has finished his tasks and want to log off. In this step, the original user is logged of but the flag file has remained on file server. Now we need to make sure that these ‘phantom’ flags are no longer exist in the folder on file server. So an internal scheduled process will be launched in order to clear these flags and prepare the environment for next time the user needs to logon.

 

Back to top

Requirements

In every implementation, you will have to prepare the environments like installing SQL server, preparing the Active Directory. Hopefully so far, you may have understood that in order to implement this solution, it is required to have certain number of requirements.

 

Required Scripts

First of all, it is necessary to download the scripts required in this guide using this link. Once you have downloaded the script unzip the files and you will see 4 sub folders inside it.

Each one of these elements are required in order to run this solution. We will cover them in their section later on.

File Server

This file server will be the repository for our flag files. However, keep in mind that, it is possible to use the DC itself instead of a separate file server, but since the ‘CleanUp’ process will run every second as a scheduled task, it is better to not involve your domain controllers because it can cause some performance lags depending on the size of your environment.

Implementation

Implementing this solution will be done in several steps:

  1. Creating a GPO for logon script
  2. Create user folders
  3. Cleanup process

We will explain each step in detailed steps.

 

Back to top

Creating a GPO for logon script

This step will cover the GPO part of this solution. If you remember, we talked about creating a flag time for the first time the user gets authenticated. The best way to implement the creation of this flag file is through a group policy.

This GPO will configure a logon script and using this script, each time the user logs on, it creates the flag file in user’s folder in file server. Before using the script you need to customize it for your environment. You need to change some part of the script to apply in your environment. The red parts in the scripts should be changed:

As you can see there are 3 parts in this script which needs to be changed. Commit the changes as below:

  • Line 1: Change \server\Profiles to the shared destination of your file server. We will talk about it in ‘Creating user profiles’ section.
  • Line 2: Change \server\Limit to an available share folder which contains the message which will be presented to users.
  • Line 3: This line is the same as Line 1, change \server\Profiles as we did in Line 1.

After applying the required changes, follow the steps below to create the GPO:

  • Open up GPMC and create a new GPO.

  • Name this new GPO “LimitLogin”. Actually you can choose what ever name you like, but since we want to keep the things simple, I prefer this name.

  • Navigate to logon script section and double click on Logon.

  • Select ‘PowerShell Scripts’ tab and click on ‘Show Files’.

  • Now, you have to copy ‘LimitLogin.ps1’ to the folder which pops up on the screen. Then close the windows.

  • Now you have copied the file, click on ‘Add’ button and select the ‘LimitLogin.ps1’ script and add it to the window by clicking ‘OK’.

  • As a final step, link the GPO you created to the OU containing the user account.

 

Back to top

Create user folders

This is the step where you actually create folders for each user. This folder will be used to hold flag file for each user. Since we want to use the path in a logon script later and we want to make sure that each user can touch its own flag file, we will name these folder to user ‘samaccountname’.

The only problem is that there might be users who are added to Active Directory every hour and we do not want to spend time on creating user folders. As a result, this script will search the path for missing user folders and will create them immediately.

Since we will need to edit this script to make it applicable in our environment, make sure that the paths below are correctly set:

Now we can move to the next part of scheduling user folder creation.

  • Firstly we need to install AD PowerShell module feature on your server. So open a PowerShell console and type Install-WindowsFeature RSAT-AD-PowerShell and hit enter.

  • Right after, start ‘Task Scheduler’ mmc and choose ‘Create task’ by right-clicking the main section.

  • On the ‘General’ tab, make sure that the ‘Run whether the user is logged on or not’ is selected.

  • On the ‘Triggers’ tab, click on ‘New’.

  • At the ‘New Trigger’ windows, configure the task repetition to every 15 minutes, and click ‘Ok’.

  • At the next tab which is ‘Action’, we should add the script which does the Folder Creation. Click on ‘New’ and add the script.

  • And for the final part, at ‘Settings’ tab, configure the task to get stopped if it was running for more than an hour.

 

Back to top

Cleanup process

During our solution, we understood that we can utilize a simple txt file in order to limit the number of logins a user can have and so far we have talked about how this process will happen. As you may guess, during the time we need to make sure there are no Phantom text files in a user folder because if there are the user will not be able to login because of a text file which points to no one.

In order to fix that, we need to delete text file for each user in a short scheduled time. What we will do is to create a task which deletes all the next files in a folder for every single user account. You may ask, if we delete the text files, how the logon script will work in absence of these files? The answer is simple! The logon script actually overwrite text file every 10 seconds. Let’s make this clear with an example:

  • User A logs on.
  • A text file is created.
  • Clean Up script will delete all text files.
  • Text file for user A is again created.
  • The cleanup process repeats.
  • Text file for user A is again created.
  • User A logs off.
  • The cleanup process will delete all text files.
  • Since the user has logged off, the logon script no longer applies anymore and the user folder remains empty.

After all the explanation, we need to create our cleanup process. But before that, do not forget to change the script just like the previous steps:

Now go ahead and apply the rest of the configuration.

  • One more time, open ‘Scheduled Tasks’ to create a new task.

  • Name the task what ever you like but make sure that the below settings are configured properly.

  • At the triggers tab, click ‘New’ and follow the next image for configuration.

  • And for the ‘Action tab, add the script which is needed for clean up process according to the images.

  • For the final tab, leave the following check boxes empty.

 

Back to top

Testing the result

Ok now everything is in place to test the result. All you have to do is to login using a single user account from two different workstations. If you have configured everything correctly, The second PC will be logged off automatically after popping up a message to inform the user that multiple sessions has been triggered.

 

Conclusion

As we have already mentioned, the feature of blocking concurrent connections in Active Directory, has been requested for quite long time, but since there is no built-in feature to overcome this problem, in this article we talked about a solution in order to achieve this goal.

See Also

 

Back to top