Limit Login Attempts With LimitLogin
Ever needed to limit concurrent user logins in an Active Directory® domain? Ever wanted to keep track of information about every login in a domain? If so, LimitLogin is for you.
LimitLogin is an application written by Yossi Saharon, a Partner Technology Specialist with Microsoft in Israel, with help from Ofer Bar, an application development consultant. The application adds the ability to limit concurrent user logins and to keep track of all login information in an Active Directory domain. LimitLogin capabilities include limiting the number of logins per user from any machine in the domain (including Terminal Server sessions), displaying the login information of any user in the domain according to specific criteria, easy management and configuration through integration with the Active Directory Microsoft® Management Console (MMC) snap-in, the ability to delete and log off a user session remotely straight from the Active Directory Users and Computers MMC snap-in, and the ability to generate login information reports in CSV and XML formats.
While the main purpose of LimitLogin is to enforce concurrent login quotas, it can also be used purely as a login data capture solution that lets you manage your Active Directory environment more effectively. You can configure all users in the domain to have an unreachably high login quota and simply let the scripts do the work of updating your login data, without reaching the quota that was set. The UI tools allow you to set the login quota, and you can do so programmatically using the sample script code provided with the tool in Bulk_LimitUserLogins.vbs. You can also scope this script to an Organizational Unit level. The default script runs on all of the user accounts in the domain.
LimitLogin's architecture is built around three main elements:
- A Web service that handles the back-end processing on the server
- An application directory partition that holds the login information
- Login and logoff VBS scripts
Figure 1 Validating a User Login
When a user logs on to the domain, the llogin.vbs file runs and sends the host machine's data (computer name, IP address, session ID, and authenticating DC name) to the LimitLogin Web service as XML, using SOAP. The Web service uses the client's security context against Active Directory and checks to see if this user is configured for LimitLogin and has a login quota in the LimitLogin application directory partition.
If the user does not have a login quota set, then the Web service notifies the script that it should continue to log in normally. If the user does have a login quota in place, then the Web service counts the number of registered logins the user has collected in the LimitLogin application directory partition. If the user's login quota is less than the actual number of logins registered in Active Directory, then the Web service updates the user's login information in the LimitLogin application directory partition and notifies the login script to continue login normally. If the user's login quota is equal to or exceeds the number of logins registered in Active Directory, however, then the Web service notifies the login script to log off the current session. This process is outlined in Figure 1. A related process happens with llogoff.vbs when a user logs off from the domain.
While some similar solutions require SQL Server™ to work, LimitLogin uses your Active Directory database. It creates an application directory partition on a domain controller in the domains for which you want to use the app. LimitLogin supports Windows 2000 Professional Service Pack 4 and later, Windows 2000 Server Service Pack 4 and later, Windows XP Professional Service Pack 1 and later, and Windows Server™ 2003. You can download LimitLogin from the link at the top of this article.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited