Figure 3 shows the configuration dialog box that pops up when you select the LimitLogin Tasks option for a user account object—in our example, the Administrator account. This dialog box shows the machines that the selected account is currently logged on to interactively. You can also use this dialog box to log off selected sessions and delete them from the LimitLogin AD application partition, to save the logon overview in a comma-separated value (CSV)- or XML-formatted report, and most importantly to configure a concurrent logon quota.
To configure a quota, you click Configure to open the Configure LimitLogin dialog box (Web Figure 2), which simply lets you specify a quota number or specify that you don't want to set a quota. In our Administrator example, you typically want to allow only one logon session at a time—which means you must give the Administrator account a logon quota of 1.
The LimitLogin software also comes with a VBScript sample that automates concurrent logon setting configuration for all users in a particular OU or domain. The script is called bulk_limituserlogins.vbs and is located in the %systemdrive%\program files\limitlogin folder on DCs that have LimitLogin installed.
When you select the LimitLogin Tasks context menu option on a computer object, you'll see a dialog box that lists all the users that are currently logged on interactively to that particular machine. The dialog box also allows you to delete and optionally log off selected logon sessions—for example, Administrator logon sessions; ping the remote machine; and save the list of interactive logon sessions to a CSV-or XML-formatted report. If you select a logon session, then click Delete/Logoff Selected Sessions, LimitLogin will by default delete the logon session from the AD application partition and log off the remote session without prompting the administrator for confirmation. The LimitLogin delete/logoff behavior can be configured by clicking the Click Here to Set Logoff Options link in the dialog box (as Web Figure 3 shows).
LimitLogin offers the following delete/ logoff behavior options:
- Attempt to Remotely Logoff the selected session(s)—This option is selected by default. If you clear this option, selected sessions will just be removed from the AD LimitLogin application partition and no logoff attempt will be initiated.
- Prompt and confirm every selected session before attempting Remote Logoff—This option is cleared by default. If you select this option, LimitLogin will ask the administrator to confirm the session logoff.
- Logoff all selected sessions without prompting (Yes to All)—This option, selected by default, logs off selected sessions without prompting the administrator.
- Wait for Remote Logoff attempts to complete and report status—This option is selected by default. When this option is enabled, LimitLogin will wait for a status notification to come back from the remote host after a logoff is initiated.
You can also configure the delete/logoff behavior settings in the system registry of the machine on which you're using the Active Directory Users and Computers snap-in that has the LimitLogin extensions installed. Web Table 1 shows the corresponding registry entries, their values, and meaning. They are all located in the HKEY_CURRENT_USER\Software\ Microsoft\LimitLogin registry subkey.
The LimitLogin Tasks option on an OU object context menu can be used to set a concurrent logon quota for all user objects in the selected OU at once.
If you want LimitLogin to inform the administrator about his or her other logon locations (as illustrated in Figure 4) before logging the administrator off, you must make a change in the LimitLogin logon script (Llogin): Simply remove the comment marks from the following lines:
' wshShell.run "lloginsessions " & loginok
' wscript.sleep 1ØØØØØ
As mentioned above, you can also use LimitLogin as a logon reporting tool. You can generate XML-or CSV-formatted files from the Active Directory Users and Computers interface. To generate logon reports that cover entire domains, you can use the llogincmd.exe command-line utility with the /report switch.
You can use the same command-line utility, but with the /diag switch, to run a LimitLogin diagnostic (which Web Figure 4 shows). To remove all logon information from the LimitLogin AD partition, use Llogincmd with the /ClearLogins switch. To synchronize user accounts and their naming information in the LimitLogin AD partition with their corresponding AD entries, use Llogincmd with the /Update switch.
LimitLogin is a must-have tool for enterprise-level AD deployments, which need a way to control the number of sessions that user accounts, and particularly Administrator-level users, have open at one time. LimitLogin also has a handy reporting feature, however organizations that need only a logon reporting tool don't necessarily need to deploy LimitLogin. Logon reporting can easily be done using simpler tools: for example, by dumping a machinename.username text file to a hidden shared folder at logon time.
Solutions Snapshots
Solution Steps:
1. Download LimitLogin.
2. Install the LimitLogin Web server components.
3. Configure SSL for the LimitLogin Web service.
4. Perform the LimitLogin AD setup.
5. Run the LimitLogin client setup program.
6. Use the MMC Active Directory Users and Computers snap-in or a script to specify a quota for concurrent logons. |
Solution Snapshots
Problem: Limiting concurrent Windows Administrator logon sessions
Solution: The Microsoft LimitLogin tool
What You Need: LimitLogin.exe. A Windows 2003 server with AD, and an IIS 6.0 Web server with ASP.NET. Both servers also must have .NET Framework 1.1 or later. On the client: Windows 2003, XP Pro SP1 or later, Win2K Pro SP4 or later, or Win2K Server SP4 or later.
Difficulty: 3 out of 5 |
End of Article
Register
appbsd September 06, 2006 (Article Rating: