Windows 2008 Limitlogin

We are using windows 2008 64 bit Enterprise, we are trying to limit
concurrent user login using limit login but unfortunetely always fail.
my question is straight simple, is it possible to use limit login on windows
2008 64 bit Domain, if so please advice how to complete the task.
need your respon asap, my bos is always asking me

Thanks in advance

You have a couple of options, depending on your exact requirements:
1) Limit which computers the user account can logon to
2) Limit logon times
3) Limit logons through Group Policy

Options 1 and 2 are configured on the user object in the Active Directory
Users and Computers console.
Option 3 can be used to limit logon locally, limit logon through Terminal
Services, deny logon locally, and deny logon through Terminal Services.

Again, this all depends on what your exact requirements are. Limiting logon
is pretty vague and means different things to different people.

Lastly, this can all be done on Windows 2000 Server, Windows Server 2003,
and Windows Server 2008 (32-bit and 64-bit).

Are you talking about the thrid party shareware program LimitLogon? My
guess is no, only because the system hasn't been updated to say it does
support it.

http://technet.microsoft.com/en-us/m...spotlight.aspx

As Paul said, sounds that isn't officially supported, but what errors are
you getting?

Are you saying you are one of the authors of LimitLogon?

Budi, back in July of 2008 I wrote the following to someone:

I'm one of the people that Paul was referring to who has written a
script [whether he specifically knew of me doing this or not] to control
concurrent sessions. It actually consists of a logon script which checks
for an existing logon and logs the user off if one is detected. The
logoff script updates the same attribute. Both scripts manipulate a
custom attribute which stores a space delimited list of hostnames
matching machines to which a user has logged on.

It currently prevents regular users from logging in more than once by
first warning them of where their other session exists (hostname) and
then uses WMI to log the user off forcefully (which is fine since the
user doesn't get to do anything). The scripts are set to run
synchronously so the users can't do anything but click the OK in the
mesg window and then the logoff process starts. This only works for
Windows XP. For admins who log in to Windows Server, a separate (3rd)
perl script that ties into a 3rd party perl module must be used because
for some reason WMI on Server is ignored. However at work we just *warn*
admins they have a concurrent session since they like having that ability.

Note that multiple, quick concurrent logons may still be be possible
depending on which ADS server logs a user on, and the speed at which the
attribute data is replicated across ADS servers so that they are all
aware of the current session status for any given account. If you login
quick enough you can probably beat the replication time and get in
another session if you happen to log on to another server that hasn't
been told about your first session. This can also screw with updating
the attribute correctly during log off and may require you to manually
reset the attribute value every so often but I've found it much better
than other solutions (especially since it *does* work).

Also, users must be given explicit privilege to update this new
attribute during logoff using the SELF UPN, otherwise the script just
doesn't work properly. It must also be initialized (added to the
directory cache) after being added to the schema in order to even see it
listed in the attribute list to specify it in ACLs. I created a utility
script which inits the attribute to 'NULL' for all users, then I can
give them permission to modify it using ADSIEdit.

No, I'm saying I created what I believe is a better method of handling
the concurrent login issue, especially since, if I recall correctly,
LimitLogon requires a database to keep track of the sessions which is
just ludicrous.

My method uses simple scripts with the session information stored in the
directory under each user's object class instance which is right where
it should be.

[JJMcKay]

Could I get links to the scripts you are referring to?

Just curious what you guys figured out? Also looking into a way to limit user logins to a single login... Running Windows Server 2008 DC's.

Just now saw your reply. If you are still interested let me know. I'll
try to find a scrubbed version of them. I used them at work so can't
blindly give them to you without ensuring they have been scrubbed of
work-sensitive info.

[avalox]

i am also pretty interested in your limit script. I tried to setup "LimitLogon" on Windows 2008 Server which did not worked, so i am searching for an alternative und found your posts.

It would be very nice if you could send me your Script.

Having a similar issue. Running 2008 AD with 2003 TS. I want to have three users that can log onto the terminal server three times each concurrently.

With 2k3 I could use limit logon - what is my best option for w2k8?

I'm trying to do the same on a Windows 2008 Server Active Directory for a Student Testing lab.

i´m looking also for a script like this,
do u mind to send me this script?

[JaST]

I, too, would love to have these scripts as I am seeking to mimic Netware's "limit concurrent connections" tickbox in an AD enviroment.

The problem is that the script will not run on x64 systems. Here is how I got it to work on both 2003 x64 and 2008 systems

[Lanmanagers]

dhazar -
any chance of getting a copy of the modified script you wrote? We really need this capability for a K12 school to limit students logins to a single occurrence. Would very much appreciate your posting back !!
Thanks.