We're going to use a script that allows users to login only one time, but some...
We're going to use a script that allows users to login only one time.
However some users need an second login opportunity.
How can this be handled in a script?
This is the script where going to use:
-------'== Limit User Logins
'== Written by: James Gzowski (2010)
'== Logon Script
'== This script consists of two parts, Logon.vbs & Logoff.vbs
'== The script is designed to prevent multiple logons on a network from different workstations
'== This will not work for Terminal Servers where each user will login on the same server.
'== Users NEED to logoff through the proper process otherwise the script will still assume they are logged in.
'== If this happens, the user can either relog into the workstation or request their session files are deleted
'== from the ServerShare, these files will be named: <Username>_<Workstation>.txt and <Username>.txt.
'Set Objects
Set oShell = CreateObject( "WScript.Shell" )
Set objFSO = CreateObject("Scripting.FileSystemObject")
SET WshShell = createObject("WScript.shell")
'ServerShare = "\\SERVERPATH\SHARE" 'Requires Users Full Read/Write Access
ServerShare = "\\SERVERPATH\SHARE" 'Requires Users Full Read/Write Access
'Get Username & Workstation
UserID=oShell.ExpandEnvironmentStrings("%UserName%")
WorkstationID=oShell.ExpandEnvironmentStrings("%ComputerName%")
'Check If Users Logged In'
If objFSO.FileExists ( "\\SERVERPATH\SHARE" & UserID & ".txt") then
'Report Failed Login To LoginsDenied.log
If objFSO.FileExists ("\\SERVERPATH\SHARE" & "LoginsDenied.log") then
SET ObjFile = objFSO.OpenTextFile("\\SERVERPATH\SHARE" & "LoginsDenied.log", 8, True)
ObjFile.Writeline ("Date: " & Date & " | Time: " & Time & " | Workstation: " & WorkstationID & " | Username: " & UserID)
else
Set objFile = objFSO.CreateTextFile("\\SERVERPATH\SHARE" & "LoginsDenied.log")
ObjFile.Writeline ("Date: " & Date & " | Time: " & Time & " | Workstation: " & WorkstationID & " | Username: " & UserID)
End If
ObjFile.Close
'Shutdown Process'
shutdown = "shutdown /l"
WshShell.Popup _
"U bent reeds ingelogd op een andere werkplek." & vbcrlf & vbcrlf & _
"Bent u zich hier niet van bewust, neem " & vbcrlf & _
"dan contact op met de Helpdesk (tst.245)." & vbcrlf & vbcrlf & _
"",20,"Gebruiker " & UserID,16
WshShell.Run(shutdown)
SET WshShell = Nothing
Else
'Create Text Files
Set objFile = objFSO.CreateTextFile("\\SERVERPATH\SHARE" & UserID & "_" & WorkstationID & ".txt")
Set objFile = objFSO.CreateTextFile("\\SERVERPATH\SHARE" & UserID & ".txt")
ObjFile.Write(WorkstationID & " at " & Time)
ObjFile.Close
' 'Report Accepted Login To LoginsAllowed.log
' If objFSO.FileExists (ServerShare & "LoginsAllowed.log") then
'
' SET ObjFile = objFSO.OpenTextFile("\\SERVERPATH\SHARE" & "LoginsAllowed.log", 8, True)
' ObjFile.Writeline ("Date: " & Date & " | Time: " & Time & " | Workstation: " & WorkstationID & " | Username: " & UserID)
'
' else
' Set objFile = objFSO.CreateTextFile("\\SERVERPATH\SHARE" & "LoginsAllowed.log")
' ObjFile.Writeline ("Date: " & Date & " | Time: " & Time & " | Workstation: " & WorkstationID & " | Username: " & UserID)
' End If
' ObjFile.Close
End If
--------
This works , when I want to limit the users to only one login at the time.
***The users who needs a seconds login opportunity are members of the same Secuity Group (for instance "PublicRelations").
March 25th, 2011 3:39pm
Just make sure the script is not executed for those user accounts. Create some group like "Multilogon Users" and use the group policy security filtering feature to deny them processing of the script.MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA
Free Windows Admin Tool Kit Click here and download it now
March 25th, 2011 5:24pm
You may want to investigate querying the user attribute "logonCount"
May not apply...just an FYI
March 26th, 2011 2:41am
Thank you for the reply.
I was hoping for a different solution.
---
All the users are in one OU. On that OU the script will be active through a policy. We´re trying to keep the AD Structure as 'clean' as possibble (meaning we try to use policys/scripts on the existing OU's.
Is it possible to use the filtering on that OU (Users)? Maybe in conjuntion with the script?
Like my question is:
''We're going to use a script that allows users to login only
one time.
However some users need an second login opportunity.
How can this be handled in a script?''
Only a second login is allowed for those users. No more than that.
Free Windows Admin Tool Kit Click here and download it now
March 26th, 2011 12:28pm
UserLock might come handy here, as this 3rd-party software solution allows you to limit or prevent concurrent logins, per user, user group, or Organizational Unit and per session type
(workstation, terminal, interactive, Internet Information Services<sup>
</sup>or VPN/RAS).
Limitations can be set in a granular way and can vary from one user to another, one group to another, or one Organizational Unit<sup>
</sup>to the other. Franois Amigorena President & CEO IS Decisions (Security Software) http://www.isdecisions.com
December 26th, 2011 4:25am